logo

Security Best Practices

Overview

Security is our top priority. This guide outlines best practices for securely integrating with the DashX platform and protecting your application and users.

API Key Security

Best Practices

  • Never expose API keys: Keep API keys secure and never expose them in client-side code, version control, or public repositories
  • Never expose Merchant ID: Keep your merchant ID secure and never expose it in client-side code, version control, or public repositories
  • Regular rotation: Rotate API keys periodically to reduce risk
  • Access control: Use different keys per environment and revoke compromised keys immediately
  • Environment variables: Store API keys and merchant ID in secure environment variables

Example Implementation

# .env file
DASHX_API_KEY=your_api_key_here
DASHX_MERCHANT_ID=your_merchant_id_here

# Server-side code
import os
from dotenv import load_dotenv

load_dotenv()
api_key = os.getenv('DASHX_API_KEY')
merchant_id = os.getenv('DASHX_MERCHANT_ID')

Webhook Security

Best Practices

  • Verify signatures: Always verify webhook signatures to ensure requests are from DashX
  • Use HTTPS: Only accept webhooks over HTTPS
  • Idempotency: Handle duplicate webhook events gracefully
  • Timeout handling: Respond to webhooks quickly and process asynchronously if needed

Example Implementation

import hmac
import hashlib

def verify_webhook_signature(payload, signature, secret):
    expected_signature = hmac.new(
        secret.encode('utf-8'),
        payload.encode('utf-8'),
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(signature, expected_signature)

Data Security

Best Practices

  • Encrypt sensitive data: Always encrypt sensitive data in transit and at rest
  • Input validation: Validate all user input before processing
  • Error handling: Implement proper error handling without exposing sensitive information
  • Logging: Avoid logging sensitive information and implement proper log rotation

Network Security

Best Practices

  • Use HTTPS: Always use HTTPS for all API communications
  • IP whitelisting: Consider implementing IP whitelisting for additional security
  • Firewall rules: Configure firewall rules to restrict access to necessary endpoints
  • Keep systems updated: Regularly update systems and dependencies