KOR Connect Security
One of the biggest concerns from developers who want to consume APIs on the client is finding a secure way to store API keys and safely integrate the third party APIs. Even without a backend, there are ways that try to solve this problem, like putting your keys on secrets (e.g. AWS secrets manager, KMS etc), implementing CORS, and creating functions to act as a backend proxy to name a few. All of these however still present vulnerabilities. What if any malicious agent can still consume your API gateway? What if an attacker grabs your supposedly protected endpoint and consumes it from different origins without your knowledge? KOR Connect tackles these problems with different layers of protection. Here is how it works.
In KOR Connect, you have two options for your connections:
- One single URL with basic security. Nice to start using your connections as simple as possible
- A more advance security but with a little more work on your front-end.
1. Single URL Option:
The single URL is a fast way to get your connections working while having some degree of security. Here are the security policies the single URL has:
- Inspects for miscellaneous bots.
- Inspects for security-related bots.
- Inspects for indications of an automated web browser.
- Inspects for data centers that are typically used by bots.
- Inspects for user agent strings that don't seem to be from a web browser.
- Validates the Access-Control-Allow-Origin header with the user's allowed origins.
Encryption in Transit and at Rest
Once you create a connection in KOR Connect, behind the scenes an API Gateway is created with serverless functions that will deal with the API calls and security verification. All of the data that you input into KOR Connect (e.i. API keys) is encrypted at rest in the lambda function using a symmetric algorithm AES-256-GCM in Galois Counter Mode (GCM) with 256-bit keys. Every piece of information is transferred using SSL.
2. Advanced Security Option
Besides having all the bot controls and the Encryption in Transit and at Rest , the advanced security offers more layers of protection:
KOR Connect requires the user to specify which domain will have access to the integrated KOR Connect Connection. This information is passed through Google ReCAPTCHA V3, which allows KOR Connect to validate the origin of the requests. KOR Connect utilizes this as an attestation layer. If a non-authorized agent tries to create a token and attempts to call the KOR Connection, even if the request header is modified, the request will fail. Furthermore by using Google ReCAPTCHA V3, KOR Connect leverages this security against certain OWASP Web-Automated Attacks. More information on the white paper here: https://services.google.com/fh/files/misc/owasp_handbook_again.pdf
As a secondary layer of protection, KOR Connect expires requests automatically. This means that if an attacker steals a valid token, by the time he tries to use it, that token will be invalid and expired. If the attacker uses complex automated techniques to pass this, Google reCAPTCHA V3’s protection against automated attacks will block it.
Backend and Resources
KOR Connect uses AWS as the main cloud vendor for infrastructure requirements.
KOR Connect utilizes Amazon's secure data centers and leverages Amazon Web Service's (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon's data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
More information here: https://aws.amazon.com/compliance/programs/