Documentation · Security
Security hardening
Practical controls for production integrators. Pair with the threat model.
Rate limiting
- Relay enforces per-tenant session and concurrent caps (hard reject, no overage).
- Provision and public scan APIs are IP rate-limited on the marketing site.
- Evidence submission should use client-side backoff; Enterprise can request custom quotas.
Replay protection
- Send Idempotency-Key on all mutating obligation ledger calls.
- Verify webhook signatures before acting; reject stale timestamps.
- Never treat a webhook alone as proof of fund movement — execute on your rails after validation.
Key rotation
- Relay keys support dual-slot grace rotation (zero downtime).
- Rotate FLOMISMA_INTERNAL_API_KEY / ledger keys via portal; revoke old kid after grace.
- Vault: rotate KEK via documented shred/lazy re-encrypt path; prefer HSM for Enterprise.
Environment separation
- Use separate tenants and keys for dev / staging / prod.
- Never point production webhooks at localhost tunnels long-term.
- Keep Stripe webhook secrets and portal URLs out of client bundles.