Security

The following topics describe security issues.

TLS encryption

Streams uses Transport Layer Security (TLS) to encrypt messages over Internet. Using TLS ensures that client messages are protected when being sent to and from Streams. This prevents intercepted messages from being viewed by unauthorized parties.

Application token

Streams provides every user’s application with a unique token that authenticates them on the platform. This enables Streams to tie a request to a specific account to monitor traffic, enforce quotas, handle billing and manage access control.

You must provide an application token with all subscription requests made to Streams.

If you believe that your token has been compromised (for example, if you notice suspicious activity in your console traffic reports), we recommend that you renew your tokens.

Acquiring and renewing application tokens

If you need to list or renew your application token, login to the web portal, select your application and select Settings > Security to list or change the application token.

Using application token

To provide your application token when connecting to Streams, refer to the Javascript SDK and sample applications. If you prefer not using our JS SDK, you must provide your token using X-Sd-Token query parameter.

Example

$ curl "https://streamdata.motwin.net/https://stockmarket.streamdata.io/prices?X-Sd-Token=[YOUR_APP_TOKEN]"

Request signature

To provide an additional level of security you can activate Request Signature. It can be activated for each app independently by enabling the option under Settings > Security on the web portal. When Streams receives a signed request, it uses your private key to compute a signature for the message it received. It then compares the signature it calculated against the signature presented by the requester. If the signature matches the signature presented by the requester, the system grants access to it. If the two signatures do not match, the request is dropped, and the system responds with an error message.

If you activate this option, all requests coming to Streams for that app must be signed. As each client application requires a private key to sign its requests, it is recommended that you use appropriate security measures when storing your private keys. To simplify the signature process on the client side, you can use the Auth Javascript library.

Secured target API

In case of a secured target API, Streams supports authentication mechanism based on Query Parameters or HTTP Headers. When any of the following is provided by the client in its subscription request, Streams forwards it to the target API.

Query parameters

The Query Parameters method lets you add several authentication parameters to your URL.

https://api.yourdomain.com/{endpoint}?QueryParameter=Authentication

HTTP headers

The HTTP Headers method lets you add several header parameters to your API.

Auth-Header: Bearer 'a bearer token'

If you do not want or can’t share the credentials required to authenticate against the target API, you can inject them from the Streams proxy. See Query params and headers Injection for more details.

In this case, make sure that:

  • All subscribers in possession of the app token have the rights to access the data provided by the secured API.
  • The target API does not respond with sensitive data that could be used by a malicious subscriber seeking to exploit a vulnerability.


Related Links