API security
For the majority of customers, interacting with the Voyado API is central to their solution, enabling them to create, read, update and delete information in multiple contact's journeys simultaneously. As a Voyado customer, you can freely access your data in real time.
However, this comes with certain risks, since that information could possibly end up in the wrong hands. To mitigate these risks it’s imperative that all users of the Voyado API do their best to handle their traffic in the most secure way possible.
This section will list the basic measures that all API users should implement.
API key in query string
The usage of an API key in the query string of an incoming request is NOT considered safe. Such a request is not strictly a security issue in itself, provided encrypted traffic is used. The problem is that the request, on its way from point A and point B, is most likely logged by the servers handling the traffic. The whole query string will then be visible in those logs, making them a potential security issue. API keys, because of this, should not be used in the query string but only in the header of the request.
Encryption of data
Users of the Voyado API must adhere to common practices regarding encryption of traffic. We adhere to Mozilla’s definition of Intermediate Compatibility which can be found at Mozilla - Security/Server Side TLS. HTTPS should always be used when communicating with the Voyado API to guarantee basic security.
TLS
In the future, Voyado will only support TLS 1.2. The older standards, TLS 1.0 and 1.1, are deemed insecure and are not to be used. Requests using non-supported TLS versions will be denied.
Combining IP filtering with API keys
It is possible to restrict access to the Voyado API for a specific API key using IP-filtering.
This measure, set up by Voyado, limits access to traffic coming from specific IP addresses or ranges of IP addresses, greatly reducing the risk for leakage of data. In the case of an API key becoming compromised, an attacker would then also need access to a device/service communicating through the correct IPs to gain access to the data, providing an extra layer of security. The API key on its own is not enough to provide access.
Recommended ciphers
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384