Our recommended tips to keep on top of security when it comes to your API integration with us. Online security is our top concern, it should be yours too.
We don't tend to leave our passwords visible for others to see. The same principles should be applied to API credentials.
Here are our top tips to keeping your API integration as secure as possible.
- Never, ever, share your API credentials with anyone. Ding will never ask you for your API credentials. They are encrypted in our platform. Once you create them, you can copy them to the clipboard and securely store them.
Once API credentials are created within your account, you have the option to copy them to a safe and secure destination. Thereafter, the credentials are never accessible from within the portal or from within Ding's platform.
- Secure your API credentials. Don't include them directly in source code especially JavaScript or email them to someone. Ensure your system uses a secure mechanism for retrieving them, limiting access to a select few i.e. use a secrets manager or vault system.
- Regularly rotate your API credentials. Just like passwords, you should regularly rotate your API keys or OAuth credentials. We recommend doing this every 6 months to avoid credential being compromised.
- Always delete old API credentials. Once you rotate your credentials, remove the old ones so they can never be used.
- Whitelist your API credentials. Add extra security so that any transactions using particular API credentials will only be processed from defined IP addresses or domains.
- External security review. It's good practice to get a 3rd party review of your security which can include penetration testing of your website or apps.