Security Checklist
Security Checklist
We highly recommend the following best practices to ensure secure configurations.
Reveal on the response side
The reveal capability should manifest on the response side. This is recommended as a security measure to keep the backend interface out of PCI scope. Configuring the response side's reveal capability also reduces the passing and communication of the sensitive data until the last moment, which significantly reduces the time of alias exposure.
mTLS
A DNS takeover scenario would redirect communications to a different unintended host. This could result in a backend system bypassing your authentication mechanisms. The result is that secrets could be exfiltrated through this mechanism. Therefore, we highly recommend securing the host that VGS will communicate with.
To mitigate this issue, VGS recommends using our mTLS functionality to ensure that VGS servers are only communicating directly with your backend infrastructure. Here is our recommended setup process.
Backend Authentication
Very Good Security does not interact with your authentication mechanism, and thus cannot determine when or when not to reveal an alias for an inbound proxy. That functionality must be handled by your backend. A securely implemented backend should only allow the request if:
The authentication is valid and not expired.
AND
The account associated with the authentication mechanism matches the token being requested.
It is extremely important to protect against potential compromise of an authentication mechanism. Additional guidelines are provided here.
CSP (For Collect.js and Show.js)
We strongly recommend adding the CSP to your application. Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. Please create CSP directives for the following domain:
connect-src https://js.verygoodvault.com https://js3.verygoodvault.com https://vgs-collect-keeper.apps.verygood.systems
frame-src https://js.verygoodvault.com https://js3.verygoodvault.com
script-src https://js.verygoodvault.com https://js3.verygoodvault.com
default-src 'self'
form-action 'self'
style-src 'self' 'unsafe-inline'
img-src 'self'
media-src 'none'
object-src 'none'
child-src 'self'
block-all-mixed-content
Last updated