what recommendations are there for security settings when using APIs - Answers - Salesforce Trailblazer Community
Ask Search:
Angela Mullen-SmithAngela Mullen-Smith 

what recommendations are there for security settings when using APIs

I have set up the transfer of data from our Website to Salesforce using APIs and I have been asked if there are further security setting I should be using.

My Health Check level is 98% ( I have the ability to log on as other users) - I can't think what else I need to update.

There is a concern that someone might attempt to hack the the webpage
Best Answer chosen by Angela Mullen-Smith
Amnon KruviAmnon Kruvi
Hi Angela,

If you have genuine concerns about page hacking, then here are a few things I can come up with:
1. Use a separate user for your API (don't use the admin). This user should only have access to create/edit/read the data it needs, and be an API-only user.
2. You probably already do this, but make sure you use OAuth for authentication between the site and API. This allows you to revoke access whenever you wish, and there will be no "password" to steal. If a hacker does get the access token, it will be temporary.
3. Consider using an IP whitelist to only allow the website to access the API.

Good luck!

All Answers

Amnon KruviAmnon Kruvi
Hi Angela,

If you have genuine concerns about page hacking, then here are a few things I can come up with:
1. Use a separate user for your API (don't use the admin). This user should only have access to create/edit/read the data it needs, and be an API-only user.
2. You probably already do this, but make sure you use OAuth for authentication between the site and API. This allows you to revoke access whenever you wish, and there will be no "password" to steal. If a hacker does get the access token, it will be temporary.
3. Consider using an IP whitelist to only allow the website to access the API.

Good luck!
This was selected as the best answer
Angela Mullen-SmithAngela Mullen-Smith
Hi Amnon Kruvi
Thanks for the advice
 I have set up a separate user, but I did not make it an API only user. I have the admin profile - so I will do that. 
I am using OAth for authentication.
I am not using an IP whtelist, so I will do that

Thank you and I appreciate your advice.