Platform Guides

Security Best Practices

Guidelines for secure integration, data handling, and compliance with ContentSellify.

Overview

Security is our top priority at ContentSellify. This guide outlines best practices for keeping your account, products, and customer data safe.

🔐

API Security

Protect your API keys and tokens

💳

Payment Security

PCI-compliant payment processing

📊

Data Protection

GDPR & data privacy compliance

1. API Security

Protect Your API Keys

❌ Never Do This

•Commit API keys to Git repositories
•Hard-code keys in frontend JavaScript
•Share keys in Slack, email, or chat
•Use production keys in development

✓ Best Practices

•Store keys in environment variables (.env)
•Use separate keys for development and production
•Rotate keys every 90 days or after team member leaves
•Use read-only keys when write access isn't needed

Environment Variable Example

# .env (add to .gitignore)
CONTENTSELLIFY_API_KEY=csfy_live_abc123...
CONTENTSELLIFY_SECRET_KEY=sk_live_xyz789...
WEBHOOK_SECRET=whsec_def456...

# Never commit these!
# Add .env to your .gitignore:
echo ".env" >> .gitignore

2. Authentication & Authorization

🔑 Use OAuth 2.0

OAuth provides secure, token-based authentication without exposing user passwords. Always use OAuth for integrations.

⏱️ Token Expiration

Access tokens expire after 1 hour. Refresh tokens are valid for 30 days. Implement automatic token refresh in your application.

🚫 Revoke Compromised Tokens

If you suspect a token has been compromised, revoke it immediately from Dashboard → API Settings → Active Tokens.

3. Transport Security

🔒 Always Use HTTPS

All API requests must be made over HTTPS. HTTP requests are automatically rejected for security.

// ✓ Good - HTTPS
fetch('https://api.contentsellify.com/products', {
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json'
  }
});

// ❌ Bad - HTTP (will fail)
fetch('http://api.contentsellify.com/products', ...)

📦 TLS 1.2+

Our API requires TLS 1.2 or higher. Older protocols (SSL, TLS 1.0, TLS 1.1) are disabled for security.

4. Payment Security

We handle PCI compliance for you. Customer payment information never touches your servers.

✓ We Store

• Credit card numbers (encrypted)
• CVV codes (temporarily)
• Billing addresses
• Payment tokens

✓ You Receive

• Order confirmation
• Customer email
• Transaction ID
• Payment status

5. Data Protection & Privacy

🇪🇺 GDPR Compliance

We are GDPR compliant. Users can request data exports or account deletion. Data is stored in encrypted databases with regular backups.

📝 Data Minimization

Only collect customer data you need. Don't store sensitive information unnecessarily. Use ContentSellify's built-in customer management.

🗑️ Data Retention

Transaction records are kept for 7 years for legal compliance. User data is deleted within 30 days of account deletion request.

6. Webhook Security

Always verify webhook signatures to prevent spoofed events:

const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const hash = crypto
    .createHmac('sha256', secret)
    .update(JSON.stringify(payload))
    .digest('hex');
    
  // Use timing-safe comparison
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(hash)
  );
}

// Reject unverified webhooks
if (!verifyWebhook(req.body, req.headers['x-webhook-signature'], secret)) {
  return res.status(401).json({ error: 'Invalid signature' });
}

Security Checklist

API keys stored in environment variables, not in codeUsing HTTPS for all API requestsWebhook signatures verified on all incoming webhooksSeparate API keys for development and productionOAuth tokens refresh automatically before expirationCustomer data handled according to GDPR requirements