# Security Checklist

### Security Checklist <a href="#security-checklist" id="security-checklist"></a>

We highly recommend the following best practices to ensure secure configurations.

#### Reveal on the response side <a href="#reveal-on-the-response-side" id="reveal-on-the-response-side"></a>

The reveal capability should manifest on the response side. This is recommended as a security measure to keep the backend interface out of PCI scope. Configuring the response side's reveal capability also reduces the passing and communication of the sensitive data until the last moment, which significantly reduces the time of alias exposure.

#### mTLS <a href="#mtls" id="mtls"></a>

A DNS takeover scenario would redirect communications to a different unintended host. This could result in a backend system bypassing your authentication mechanisms. The result is that secrets could be exfiltrated through this mechanism. Therefore, we highly recommend securing the host that VGS will communicate with.

To mitigate this issue, VGS recommends using our mTLS functionality to ensure that VGS servers are only communicating directly with your backend infrastructure. Here is our [recommended setup process](/vault/http-proxy/mutual-tls-certificates.md).

#### Backend Authentication <a href="#backend-authentication" id="backend-authentication"></a>

Very Good Security does not interact with your authentication mechanism, and thus cannot determine when or when not to reveal an alias for an inbound proxy. That functionality must be handled by your backend. A securely implemented backend should only allow the request if:

* The authentication is valid and not expired.

***AND***

* The account associated with the authentication mechanism matches the token being requested.

It is extremely important to protect against potential compromise of an authentication mechanism. Additional guidelines are provided [here](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html).

#### CSP (For Collect.js and Show\.js) <a href="#csp-for-collectjs-and-showjs" id="csp-for-collectjs-and-showjs"></a>

We strongly recommend adding the CSP to your application. Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. Please create CSP directives for the following domain:

`connect-src https://js.verygoodvault.com https://js3.verygoodvault.com https://vgs-collect-keeper.apps.verygood.systems`\
`frame-src https://js.verygoodvault.com https://js3.verygoodvault.com`\
`script-src https://js.verygoodvault.com https://js3.verygoodvault.com`\
`default-src 'self'`\
`form-action 'self'`\
`style-src 'self' 'unsafe-inline'`\
`img-src 'self'`\
`media-src 'none'`\
`object-src 'none'`\
`child-src 'self'`\
`block-all-mixed-content`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.verygoodsecurity.com/vault/developer-tools/vgs-show/security-checklist.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.