March 7, 2024
zendit Security Best Practices
review the new security features and best practices to keep your integration secure and free of fraudulent transactions
zendit has come a long way since in the past year!
Please review the new security features and best practices to keep your integration secure and free of fraudulent transactions.
Read more about all the security features available in zendit and how to use them with our recommended best practices to keep your environment secure and fraud free.
API Keys
API Keys can now be regenerated!.
We recommend setting a schedule for regenerating your keys on a schedule (e.g. every 90 days.) If your key was compromised, once regenerated the previous key is no longer valid to access your account through the API.
If you identify that your key is compromised, regenerate a new key immediately from the zendit user console.
Remember to keep this API Key secure. Client support will never ask you for your API Key. If someone asks you for this key and is not a user you trust with the key for your integration, do not share the key.
IP Whitelisting
IP Whitelisting has been with zendit from the start.
Always protect your environment with IP Whitelists that connect your integration to trusted hosts. If your IP Whitelist for production is ever changed, zendit will send an alert to the user console. You may also opt into receiving security-related alerts and changes made in your production environment via email and SMS.
Catalog Security
Securing your catalog is an important part of your integration.
You can disable products from being available for sale if you don’t expect to sell the product. Zendit highly recommends disabling products that aren’t intended for sale as an extra layer of security.
Webhook Security
For clients who elect to implement webhooks they can be added to the environment with a header and value.
It is recommended for production environments to add an Authentication header with a long, encoded string (not the API Key) that is known to the client. This header value will verify the authenticity of a webhook received from zendit.
ShieldWall
ShieldWall has been released as a webhook we recommend implementing in your integration.
This webhook will send you information about transactions being made in your account and you can automate double checking that the transaction is legitimate against your integration. If the transaction wasn’t originated by the integration, a simple error response to the webhook request is returned to zendit to block it from being fulfilled or funds withdrawn from the wallet.