We take a number of steps to secure the app's infrastructure where security extends from the mobile app to the APIs.
- Use of keychain on iOS to store all credentials.
- All APIs are secured with a wildcard SSL certificate.
- Use of JWT and JWE for securing all APIs.
- Load Balancer supported for horizontal scaling.
- All customer data on the server is encrypted using 128-bit AES encryption.
- Rate limit API and controller access to minimize the harm from automated attack tooling.
- App secured from any DB injection.
- App protected from clickjacking protection, XSS, MIME-Sniffing, HSTS, HPKP, or set the CORS settings.
- Security headers are enabled.
- Scripts are not deployed with default credentials, particularly for admin users.
- Uses a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session IDs should not be in the URL. Ids should also be securely stored and invalidated after logout, idle, and absolute timeouts.
- JWT tokens are invalidated on the server after logout.