Safety items that must be considered for all the projects developed at our Platform.
a) Trigger/API Key
When using the HTTP, API REST and HTTP File triggers, services will be exposed on the Internet. For native configuration (and not optional) from Digibee Platform, these triggers can be used, published and accessed only with the use of API Key.
API Keys are access credentials used to consult pipelines that use the triggers mentioned above. This is the minimum safety demanded guarantee. We recommend you not only to use the API Key whenever possible, but also to reinforce safety with the use of JWT (JSON Web Token).
To generate a key (API Key) in our Platform, access "Configurations > API Keys", choose your environment and then click on CREATE.
RECOMMENDATION: generate a different API Key for each system that consumes your API, restricting the access to allowed pipelines only. This key must be sent in the header, with its "apikey" parameter and value. Also inform the Content-Type expected by the pipeline (eg.: application/json).
IMPORTANT: we don't recommend using pipelines without API Key. Keeping an open endpoint weakens the safety and can make your environment become vulnerable to attacks and data leak. Our Platform, by standard, doesn't allow the publication of pipelines that use the HTTP, API REST and HTTP Files triggers without API Key. Clients willing to take the risk must send a request via Intercom using the model below:
I request the inclusion of the pipeline/s described below in whitelist not to use API Key.
Name of the pipeline(s) that must be included in whitelist inside the Realm:
b) Credentials storage
Always store the authentication credentials of the accessed services in the passwords safe from our Platform (accounts). You're responsible for creating the account.
At least one of the headers used for authentication must be the account.
c) Sensitive fields
Define sensitive fields in the pipeline configurations to dissemble these pieces of information into messages and logs.
d) HTTPS Protocol
ALWAYS use the HTTPS protocol to call the services accessed via pipeline; HTTP calls to pipelines are allowed in VPN only.
e) Object Store
All and any data is stored with maximum safety in our Platform. Still, we recommend sensitive data stored in Object Store to be encrypted. For that, use our cryptography connectors.
Object Store is an auxiliar database for integration.
Data inserted in the integration flow can't grow endlessly. Old data must be erased and exceptions are separately evaluated.
If it becomes necessary to use it, inform our team so we can find alternatives and work on the Platform development.
After getting connected to any service (API/Database/Storages), validate if the return meets the expectations before moving on with the normal flow integration. In case of errors, make sure that the triggered event generates some type of alert.
Define reprocessing rules for the generated errors.
Define notification rules for the generated errors (tickets in ITSM tools, emails dispatch, logs recording, etc.).
We're working on an Integration Patterns document for you to have more details about how to build flows to solve errors.