WePay

Application Security

By integrating with the WePay API, you're reducing the scope of security and compliance requirements for your application. However, as an application that handles sensitive and private data, you must take extra care to ensure the privacy and security of your application, your users, and your users' data. The following list applies to most integrations, but you should expand and customize these requirements based on the specifics of your application.

Authenticate users and protect their credentials.

If your application provides access to sensitive financial information (e.g. payment history), you must authenticate users to make sure that sensitive information is not accessed by a third party. Your authentication system should be robust: require long passwords (at least 6 characters) with a mix of alpha-numeric characters to prevent password guessing attacks; never store plain text passwords in your database; use one-way hash functions (e.g. bcrypt) to protect passwords; make sure that only limited number of employees have access to the database that stores users' credentials: passwords, WePay access tokens, etc.

Use HTTPS (HTTP over SSL) and HSTS (HTTP Strong-Transport-Security).

The "plain" HTTP protocol is vulnerable to session hijacking by listening to the traffic and extracting the session cookie (e.g. by a person sitting next to your user in the coffee-shop). The "plain" HTTP is also vulnerable to man-in-the-middle attacks. For example, an attacker with access to your ISP can inject malicious content into your website and run rogue JavaScript code from your domain. By using HTTPS and HSTS you can ensure that the network connections between your users and your servers are encrypted and protected. For this reason, more sophisticated users tend to trust HTTPS protected sites more than non-HTTPS sites.

Protect your production systems.

Requiring strong passwords and 2-factor authentication (if possible) to access your production system is a must. Remember to change any default passwords on any internal or external services used by your application. Install a firewall and limit the open ports to the ones required by your application. If you're hosting in a shared environment, you must consider the protection of data on the network. For example, if you're running a database or a caching server on a machine other than your web server, make sure that the data between the servers are encrypted. Otherwise, other users of the shared environment can view your data on the network. Install the latest patches and updates to ensure that all known vulnerabilities in the system software are patched. Install extensive logging and perform regular automated and manual audits to detect any suspicious activities.

Setup a secure development process.

A secure development process is critical to ensuring your application security. Code reviews, extensive testing, utilizing well known frameworks, and developers training are the most critical components in building secure applications. You can learn more about these and other ways to protect your application by visiting The Open Web Application Security Project (OWASP) website.

Configure automated vulnerability scans.

Consider configuring at least weekly automated vulnerability scans from a PCI-certified vendor. While automated scans are limited in the vulnerabilities they can detect, they can still catch bugs that slipped past other protection barriers.

Define and document your security policies and procedures.

Your system security is only as strong as its weakest link. To get a complete view of your systems and processes, define and document your security policies and procedures, and make sure that you adhere to them. As your application and business change, you should update these procedures. Carefully consider each change and its impact on your system security and compliance.

WePay takes security very seriously. We're happy to answer questions or discuss any security concerns you may have. Contact our security team at security@wepay.com.