Step 3: Best Practices & FAQs

Quick reference information to quickly answer your questions.

Best practices

Don’t hard code credentials.: Never allow credentials to be stored directly within your application code. While it can be convenient to test application code with hard-coded credentials during development this significantly increases risk and should be avoided.; Example
Hard coded passwords in networking devices. (https://www.us-cert.gov/ics/advisories/ICSA-12-243-01)
Don’t use invalidated forwards or redirects.: An invalidated forward can allow an attacker to access private content without authentication. Invalidated redirects allow an attacker to lure victims into visiting malicious sites.; Tip
You can prevent these from occurring by conducting the appropriate access controls checks before sending the user to the given location.
Implement an idle session timeout.: When a user is not active, the application should automatically log the user out. Be aware that Ajax applications may make recurring calls to the application effectively resetting the timeout counter automatically.
Invalidate the session after logout.: When the user logs out of the application session, corresponding data on the server must be destroyed. This ensures that the session cannot be accidentally revived.
Store user passwords using a strong, iterative, salted hash.: User passwords must be stored using secure hashing techniques with strong algorithms like PBKDF2, bcrypt, or SHA-512.; WARNING
Simply hashing the password a single time does not sufficiently protect the password. Use iterative hashing, combined with a random salt for each user to make the hash strong.
Limit the use and storage of sensitive data.: Conduct an evaluation to ensure that sensitive data is not being unnecessarily transported or stored. Where possible, use tokenization to reduce data exposure risks.

Frequently asked questions

What are my responsibilities as a Partner?: Providing the following will help accelerate the on-boarding process.

Architecture overview showing how APIs will be consumed in your environment
Data flows ensuring PII data is handled securely
Completed Security Questionnaire

For more information, please read Step 2: Engagement Process.

Where do I get access credentials and information on your API environments?: To request these details, please contact us after you have completed the steps listed in our Engagement Process.
What information will you be providing me once I have completed the steps outlined in your Engagement Process?: Once you have completed the requested information in our Engagement Process, you will be provided with:

Client ID and secret keys for accessing the APIs
IP white-listing and SSL certification
Sample data (e.g., Collector numbers, sample offers, and location data) for testing and development
Access to our certification environment for testing and development
Scheduled load testing and other necessary stress tests