Skip to main content

Voyado Engage

API security

For the majority of customers, interacting with the Voyado API is central to their solution, enabling them to create, read, update and delete information in multiple contact's journeys simultaneously. As a Voyado customer, you can freely access your data in real time.

However, this comes with certain risks, since that information could possibly end up in the wrong hands. To mitigate these risks it’s imperative that all users of the Voyado API do their best to handle their traffic in the most secure way possible.

This section will list the basic measures that all API users should implement.

API key in query string

The usage of an API key in the query string of an incoming request is NOT considered safe. Such a request is not strictly a security issue in itself, provided encrypted traffic is used. The problem is that the request, on its way from point A and point B, is most likely logged by the servers handling the traffic. The whole query string will then be visible in those logs, making them a potential security issue. API keys, because of this, should not be used in the query string but only in the header of the request.

Encryption of data

Users of the Voyado API must adhere to common practices regarding encryption of traffic. We adhere to Mozilla’s definition of Intermediate Compatibility which can be found at Mozilla - Security/Server Side TLS. HTTPS should always be used when communicating with the Voyado API to guarantee basic security.

TLS

In the future, Voyado will only support TLS 1.2. The older standards, TLS 1.0 and 1.1, are deemed insecure and are not to be used. Requests using non-supported TLS versions will be denied.

Combining IP filtering with API keys

It is possible to restrict access to the Voyado API for a specific API key using IP-filtering.

Recommended ciphers

This measure, set up by Voyado, limits access to traffic coming from specific IP addresses or ranges of IP addresses, greatly reducing the risk for leakage of data. In the case of an API key becoming compromised, an attacker would then also need access to a device/service communicating through the correct IPs to gain access to the data, providing an extra layer of security. The API key on its own is not enough to provide access.

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-CHACHA20-POLY1305

  • ECDHE-RSA-CHACHA20-POLY1305

  • DHE-RSA-AES128-GCM-SHA256

  • DHE-RSA-AES256-GCM-SHA384