Skip to main content

Usage Best Practices

Overview

This document outlines recommended security and implementation practices for using the loyalty API across server and web environments.

Server-to-Server Integration

Authentication and Authorization

  • Use API keys to authenticate server communications.
  • Store keys securely and never expose them in logs or version-controlled code.

Data Encryption

  • Use HTTPS with TLS 1.2 or TLS 1.3 to encrypt all data in transit.

Logging and Monitoring

  • Maintain detailed logs of all API activity.
  • Retain logs for 30 days, then securely delete them.
  • Monitor usage patterns for anomalies and security threats.

Web-to-Server Integration

Authentication and Authorization

  • Require API keys for all communication from web applications to backend servers.
  • Never embed keys in frontend code or expose them to the browser.

Data Encryption

  • Use HTTPS with TLS 1.2 or TLS 1.3 for all browser-to-server communication.

Input Validation

  • Validate inputs on both client and server sides.
  • Use CSRF protection mechanisms.
  • Reject malformed or suspicious characters.

Security Headers

Implement the following headers to strengthen browser-side security:

  • Content-Security-Policy
  • X-Content-Type-Options
  • X-Frame-Options
  • X-XSS-Protection
  • Strict-Transport-Security (HSTS)

Network Security

  • Host web applications behind a secure firewall or gateway.
  • Use load balancers to manage incoming traffic.
  • Block unused ports and enforce access rules with firewalls.

Logging and Monitoring

  • Retain access and error logs for 30 days, then delete securely.
  • Monitor real-time traffic and block suspicious patterns.
  • Avoid exposing sensitive data in error logs or client responses.

Web Application Firewall (WAF)

  • Use a WAF to detect and prevent common web attacks such as SQL injection and XSS.
  • Regularly update WAF rules to reflect current threats.
  • Use throttling and rate limits to mitigate abuse.

CAPTCHA

  • Use CAPTCHA on forms to prevent bot abuse and automated attacks.

User Agent Identification

  • Set a custom User-Agent to help identify and trace client applications.

Handling Sensitive Data

  • Do not expose sensitive information in HTML or client-side JavaScript.
  • Avoid including credentials or API keys in browser-accessible code.
  • Do not store tokens or credentials in local storage or cookies.

JavaScript Security Best Practices

  • Avoid inline scripts.
  • Load scripts from trusted sources.
  • Use integrity checks and security attributes when referencing external scripts.