Skip to content

Security Guidelines

Securing API Calls and Credentials

When using API credentials such as API Keys, Client IDs, and Client Secrets in your applications, ensure they are kept secure. Publicly exposing these credentials can compromise your account and allow unauthorized individuals to perform actions on behalf of your users.

Best Practices to Keep Your API Keys Secure

  • Do not embed API credentials directly in your code. Embedded credentials can be accidentally exposed to the public, for example, if you forget to remove them from the code before sharing. Instead, store your API credentials in environment variables or in files outside of your application's source tree.
  • Do not store API credentials in files inside your application's source tree. Keeping credentials in source files can lead to them being included in your source code control system. This risk is especially high if you use a public source code management system like GitHub.
  • Delete unnecessary API credentials to reduce your risk of exposure to attacks.
  • Review your code before making it publicly available to ensure it does not contain API credentials or any other sensitive information.

Data Transport Security

DLL exposes all of its APIs exclusively via HTTPS. To ensure data security, it is expected that your applications transfer all data between end-users and DLL's APIs over TLS/SSL for every connection.

Preventing Mixed Content Risks

When serving content over SSL, ensure that all resources —such as images, JavaScript, and CSS— are also served over HTTPS. Serving these resources over HTTP can expose your users to man-in-the-middle attacks.

Validating User Input

Always validate data entered by users to protect against SQL Injection and similar attacks, such as XPath or XQuery injection. For more information, see Improper Input Handling on The Web Application Security Consortium's website.

Protecting Against Data Leakage

Ensure that all data retrieved from DLL's APIs is protected from data leakage. For more information, see Information Leakage on The Web Application Security Consortium's website.

Logging Security

When logging data within your application, avoid logging sensitive information in clear text. Sensitive information that must never be recorded in logs as clear text includes:

  • API credentials
  • User credentials
  • User Personally Identifiable Information (SSNs, credit card information, etc).
  • Encryption keys and secrets

General Application Security

Framework Security Capabilities

When developing applications on a platform, ensure to use your framework's security capabilities (whether enabled by default or added through extensions). Review and follow your framework's security best practices.

Protecting Against Common Security Attacks

Implement measures to protect your applications from common security threats like the Cross-site Request Forgery (CSRF) and Cross-site Scripting (XSS) attacks. Read more about the Top 10 Web Application Security Risks.