API Security
Security Measures and Restrictions
CORS
CORS (Cross-Origin Resource Sharing) is a browser security feature that controls how web pages from one domain (origin) can request resources (like data or APIs) from another domain, preventing malicious scripts from stealing information; it works by using HTTP headers to let servers tell browsers which origins are allowed access, bypassing the strict Same-Origin Policy for controlled, secure communication between different web sources.
The APIs do not enforce a CORS policy to specific hosts. In specific the following policies are set:
Code
Application Security
- Auto bot-detection
- DDoS attack mitigation
- Web application exploits, mitigating over +700 rules
- OWASP Core Ruleset, mitigating over +170 common OWASP vulnerabilities.
- Traffic monitoring: Several rules are in place, to ensure inbound traffic is being monitored.
Several distinct authentication protections are also enabled:
- Suspicious IP throttling: Protect your accounts against high-velocity attacks that target multiple user accounts from a single IP address.
- Brute-force protection: Safeguard against brute-force attacks that target a single user account. By default, this feature limits login attempts separately for each source IP address to limit the potential for attackers to lock legitimate users out of their account.
Country-access Restrictions
Traffic originating from several high-risk countries are being blocked by default. This includes traffic from Russian Federation, China and others.
Restrictions for Onion/Tor
Onion and tor-based traffic is being blocked by default.