Advanced Security Settings
A guide on configuring advanced security settings
When are these settings needed?
Advanced security settings are generally implemented to protect API services from malicious attacks or misuse. They may be required in the following cases:
1. Request Method Whitelist:
This feature is recommended when you would like to allow only requests through trusted methods to use your API Key. API whitelisting can help prevent unauthorized access and malicious attacks.
2. User Agent Whitelist:
This feature is recommended when you would like to restrict your API Key access to only a specific set of trusted User Agents. User Agent whitelisting can help safeguard your API Key against unauthorized access and malicious attacks.
3. Origin Header Whitelist:
This feature is recommended when you would like to grant your API Key access to requests with particular Origin headers. Origin header whitelisting can effectively prevent cross-site request forgery (CSRF).
4. JWT:
This mechanism helps authenticate users and allows only authenticated users to use your API Key.
In summary, configuring advanced security settings is essential to protect your API Key from malicious attacks or misuse. However, advanced settings may increase the complexity of the API service, making it harder to manage. Therefore, it is crucial to evaluate different situations carefully and proceed with caution.
Request Method Whitelist
When this feature is configured, only API requests using whitelisted methods will be accepted. This feature helps secure the system against malicious attacks and unauthorized access.
Origin Header Whitelist
The Origin header is an HTTP request header that specifies the origin of a request.
In cross-origin resource sharing (CORS), Origin can be used to determine whether a request is allowed.
It is recommended that when the Origin header is used for CORS, other security mechanisms, such as CSRF tokens and CORS preflight requests, should also be implemented to prevent malicious attacks and enhance the system security.
User Agent Whitelist
A request will be accepted if the User Agent that sends it matches any of the strings on the list.
JWT
JSON web tokens (JWT) are used for authentication and authorization.
JWT authentication enhances the security and scalability of the system by preventing specific attacks.
To use this feature, you must have correctly configured the JWT options, including the private key, algorithm, and expiration time. Incorrect configurations may result in security vulnerabilities in the system.
The value of the "alg" field in the header of the JWT is RS256, and the value of the "typ" field is JWT. The value of the "aud" field in the payload is tronscan.org, and the value of the "kid" field in the header is the "kid" generated by the JWT public key.
Last updated