Security Guide
This guide covers security best practices for your TraderPal Connect integration.
Authentication
API Keys
// DO NOT expose API keys in client-side code
const client = new TraderPalClient({
apiKey: process.env.TRADERPAL_API_KEY,
apiSecret: process.env.TRADERPAL_API_SECRET,
environment: 'production'
});
OAuth 2.0 Flow
const authConfig = {
clientId: process.env.OAUTH_CLIENT_ID,
clientSecret: process.env.OAUTH_CLIENT_SECRET,
redirectUri: 'https://your-app.com/callback',
scope: 'trade:execute account:read'
};
// Generate authorization URL
const authUrl = client.auth.getAuthorizationUrl(authConfig);
// Exchange code for access token
const { accessToken, refreshToken } = await client.auth.getAccessToken(code);
Data Encryption
In Transit
All API requests must use HTTPS:
const client = new TraderPalClient({
baseUrl: 'https://api.traderpal.com',
// Force HTTPS
forceHttps: true
});
At Rest
Sensitive data should be encrypted before storage:
const crypto = require('crypto');
class DataEncryption {
constructor(encryptionKey) {
this.algorithm = 'aes-256-gcm';
this.key = Buffer.from(encryptionKey, 'base64');
}
encrypt(data) {
const iv = crypto.randomBytes(12);
const cipher = crypto.createCipheriv(this.algorithm, this.key, iv);
let encrypted = cipher.update(JSON.stringify(data), 'utf8', 'base64');
encrypted += cipher.final('base64');
const authTag = cipher.getAuthTag();
return {
encrypted,
iv: iv.toString('base64'),
authTag: authTag.toString('base64')
};
}
decrypt(encryptedData) {
const decipher = crypto.createDecipheriv(
this.algorithm,
this.key,
Buffer.from(encryptedData.iv, 'base64')
);
decipher.setAuthTag(Buffer.from(encryptedData.authTag, 'base64'));
let decrypted = decipher.update(encryptedData.encrypted, 'base64', 'utf8');
decrypted += decipher.final('utf8');
return JSON.parse(decrypted);
}
}
Request Signing
HMAC Authentication
function signRequest(method, path, body, apiSecret) {
const timestamp = Date.now().toString();
const message = `${timestamp}${method.toUpperCase()}${path}${JSON.stringify(body)}`;
const signature = crypto
.createHmac('sha256', apiSecret)
.update(message)
.digest('hex');
return {
'X-TP-Timestamp': timestamp,
'X-TP-Signature': signature
};
}
Input Validation
Request Validation
const Joi = require('joi');
const orderSchema = Joi.object({
symbol: Joi.string().required().max(10),
quantity: Joi.number().positive().required(),
price: Joi.number().positive(),
type: Joi.string().valid('market', 'limit').required(),
side: Joi.string().valid('buy', 'sell').required()
});
function validateOrder(orderData) {
const { error, value } = orderSchema.validate(orderData);
if (error) {
throw new ValidationError(error.details[0].message);
}
return value;
}
SQL Injection Prevention
// DO NOT concatenate SQL queries
const query = {
text: 'SELECT * FROM orders WHERE user_id = $1 AND status = $2',
values: [userId, status]
};
// Use parameterized queries
await pool.query(query);
Rate Limiting
Client-Side Rate Limiting
class RateLimiter {
constructor(maxRequests, timeWindow) {
this.maxRequests = maxRequests;
this.timeWindow = timeWindow;
this.requests = new Map();
}
async checkLimit(key) {
const now = Date.now();
const windowStart = now - this.timeWindow;
// Clean old requests
this.requests.forEach((timestamp, reqKey) => {
if (timestamp < windowStart) {
this.requests.delete(reqKey);
}
});
// Check current window
const keyRequests = Array.from(this.requests.entries())
.filter(([reqKey]) => reqKey.startsWith(key))
.length;
if (keyRequests >= this.maxRequests) {
throw new RateLimitError('Rate limit exceeded');
}
// Record request
this.requests.set(`${key}:${now}`, now);
}
}
Session Management
Secure Session Configuration
const session = require('express-session');
app.use(session({
secret: process.env.SESSION_SECRET,
name: 'sessionId', // Don't use default connect.sid
cookie: {
secure: true, // Require HTTPS
httpOnly: true, // Prevent XSS
maxAge: 1000 * 60 * 60, // 1 hour
sameSite: 'strict' // Prevent CSRF
},
resave: false,
saveUninitialized: false
}));
CSRF Protection
Token Validation
const csrf = require('csurf');
// Setup CSRF protection
app.use(csrf());
// Include token in forms
app.get('/trade', (req, res) => {
res.render('trade', { csrfToken: req.csrfToken() });
});
// Validate token on POST requests
app.post('/trade', (req, res) => {
// CSRF token automatically validated
// Process trade
});
XSS Prevention
Content Security Policy
const helmet = require('helmet');
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
connectSrc: ["'self'", "https://api.traderpal.com"]
}
}));
Security Headers
Helmet Configuration
app.use(helmet({
hsts: {
maxAge: 31536000,
includeSubDomains: true,
preload: true
},
frameguard: {
action: 'deny'
},
noSniff: true,
xssFilter: true
}));
Audit Logging
Security Events
class SecurityAuditLogger {
logSecurityEvent(event) {
const logEntry = {
timestamp: new Date().toISOString(),
type: event.type,
userId: event.userId,
action: event.action,
ip: event.ip,
userAgent: event.userAgent,
status: event.status,
details: event.details
};
// Log to secure storage
secureLogger.info(logEntry);
// Alert on suspicious events
if (this.isSuspicious(event)) {
alertSecurityTeam(logEntry);
}
}
isSuspicious(event) {
// Implement security rules
return event.status === 'failed' &&
event.attempts > 3;
}
}
Best Practices
-
API Security
- Use HTTPS everywhere
- Implement proper authentication
- Validate all inputs
- Use rate limiting
-
Data Security
- Encrypt sensitive data
- Use secure key storage
- Implement access controls
- Regular security audits
-
Infrastructure Security
- Keep systems updated
- Use firewalls
- Monitor for intrusions
- Regular backups
-
Compliance
- Follow regulations
- Document procedures
- Regular training
- Incident response plan
Security Checklist
- HTTPS enabled
- API authentication implemented
- Input validation in place
- Rate limiting configured
- Data encryption implemented
- Security headers set
- CSRF protection enabled
- XSS prevention configured
- Audit logging setup
- Monitoring in place