Best Practices - Mufi

On this page

Protect Developer Credentials
Secure Storage of Mufi API keys
Mitigate XSS Attacks
Enhance CORS Security
Addressing Potential Risks - internal employee account accessed

Protect Developer Credentials

Limit and manage access to your Mufi Dashboard and API tokens.
Set up a time-based one-time password (e.g., Google Authenticator) for accessing the your Mufi dashboard and features.

Secure Storage of Mufi API keys

Store Mufi API tokens securely and minimize access to these credentials.
They should only be used on the backend and never shared on the client side.

Mitigate XSS Attacks

Use content security policies on the frontend.
Implement TLS and HTTPS for all requests.
Limit permissible JavaScript, set context headers properly, and avoid open redirects.
If you enable the frame-src CSP, then you need to perform this whitelisting (learn how here).
Enforce a strict Content Security Policy (CSP). Refer to this guide for more information.

Enhance CORS Security

Add specific origins for CORS to protect your environment from unauthorized websites using your public environment key.
Avoid using wildcards in favor of explicit domains.
Be especially strict with your live environment (e.g don’t have localhost etc)

Addressing Potential Risks - internal employee account accessed

If an employee account is compromised and best practices are not followed, there are several risks:

Unauthorized activities could be conducted using acquired JWT and session key.

Quickstart API Version