API security

The usage of an API key in the query string of an incoming request is NOT considered safe. Such a request is not strictly a security issue in itself, provided encrypted traffic is used. The problem is that the request, on its way from point A and point B, is most likely logged by the servers handling the traffic. The whole query string will then be visible in those logs, making them a potential security issue. API keys, because of this, should not be used in the query string but only in the header of the request.

Users of the Voyado API must adhere to common practices regarding encryption of traffic. We adhere to Mozilla’s definition of Intermediate Compatibility which can be found at Mozilla - Security/Server Side TLS. HTTPS should always be used when communicating with the Voyado API to guarantee basic security.

In the future, Voyado will only support TLS 1.2. The older standards, TLS 1.0 and 1.1, are deemed insecure and are not to be used. Requests using non-supported TLS versions will be denied.

It is possible to restrict access to the Voyado API for a specific API key using IP-filtering.

This measure, set up by Voyado, limits access to traffic coming from specific IP addresses or ranges of IP addresses, greatly reducing the risk for leakage of data. In the case of an API key becoming compromised, an attacker would then also need access to a device/service communicating through the correct IPs to gain access to the data, providing an extra layer of security. The API key on its own is not enough to provide access.