Security

Security

SalureConnect'sagent is a web server without a front-end. This means that security issues suchas CORS, XSS, CSRF etc. are not applicable. The main security issues are authentication,encryption and rate-limiting.

Authenticatie

A request to the agent must have 2 headers.
  1. A 'salure-customer' header thatcontains the name of the customer;
  2. An 'Authorization' header thatcontains a token with the correct rights.
This tokenis created within SalureConnect (the main application to which this agent isconnected) by the customer himself. When a token is removed from SalureConnect,the agent can no longer be accessed with this token. The token is encryptedusing the AES 256 CBC method. Schematically, all requests look like this:


  1. Request to a specific agentendpoint;
  2. Agent sends provided authenticationto SalureConnect. This checks whether the token/customer combination is valid.
  3. SalureConnect returns a status_codeto the agent. If the authentication data are correct, this is a 200status_code. If the data is incorrect, SalureConnect will return a 403. Thiswill be forwarded directly to the client making the request;
  4. The Agent executes a request to theclient's servers. This request depends on the endpoint used. See chapter 2 fora description of this;
  5. The customer's application returnsthe status_code and any message to the Agent;
  6. The agent sends this responsedirectly to the client making the request.

Encryption

SalureConnect'sagent is a web server without internal SSL encryption. This needs to bearranged in a client's web server such as NginX, IIS, etc. In this web server,a permanent redirect from HTTP to HTTPS must be made and the SSL certificatemust also be included.
Since thecustomer registers a DNS record for this agent and the agent is running on thecustomer's servers, the SSL certificate itself must be requested and installedby the customer.

Rate Limiting

To prevent the Agent from being abused for DDOSattacks on the client's servers or to prevent brute force token hacks a ratelimiter has been set in the Agent. This allows a maximum of 5 requests persecond with a maximum of 120 per minute. These limits are set for maximumexpected use of the API.

    • Related Articles

    • Introduction

      Many organizations use the information architecture principle that one data source is leading. In order to realize this principle, an interface has been developed that exchanges data between various applications. For the exchange of data, the ...

    • Creating an API token

      For the most part, the data stored in SalureConnect can also be retrieved via REST APIs. Of course, authorization also applies here. This article describes how to create an API token. The article "REST API"  describes how the REST API can actually be ...

    • Create API token

      For the most part, the data stored in BrynQ can also be retrieved via REST APIs. Of course, authorization also applies here. This article describes how to create an API token. The article "REST API" describes how the REST API can actually be used. ...

    • Setting up organigram for authorization

      The organigram determines what users see in the dashboards. This article describes how to set up the organigram and how to link users to it. Loading source systems In most organizations, multiple software systems are used for different purposes. ...

    • Setup Organigram

      The organizational chart determines what users see in the dashboards. This article describes how to set up the organizational chart and how to link users to it. Loading source systems In most organizations, multiple software systems are used for ...