App Security FAQ
Last updated
Was this helpful?
Last updated
Was this helpful?
Here is a compiled list of common questions and answers around building secure apps with Airkit, ranging from best practices around TCPA, Airdata security and retention, session expiry, and more.
Data flows are run server-side, which is why they have inputs and outputs. Data that is stored at the session namespace, activity group namespace, or activity namespace is stored on the client and accessible through the browser. For more information on variables scopes, see .
By default, sessions have an expiration of 30 days. Session expiration time can be configured in Journey's can also be extended using the action in an action chain as well.
Session Activity can be monitored and seen by clicking on the menu icon > Sessions and Activity when editing an application in the studio. Journey's can also be ended manually by using the action in an action chain.
Yes. Airkit allows apps to be defined as Public Apps, Secure Apps, or Authentication Apps, which can be configured in . Public apps can be accessed from anyone and are open to the public for access. Secure apps can only be accessed by being redirected through an Authentication App. The Authentication App is typically a generic app that asks for a username/password (where password is collected by a Secure Text Input Control), and when submitted, calls the . If the username/password matches the authentication parameters, then the Set Authentication Action redirects the user to the Secure App Journey. The Secure App also has a cookie that can be set, which will redirect the user back to the Authentication App when it is expired.
Yes, assets uploaded to the Media library are scanned for trojans, malware, viruses and other threats. If a malicious file is detected, the asset will be rejected.
Yes, API tokens and credentials that are uploaded via integrations are stored in an encrypted vault.
The Airkit platform cannot be accessed within an iframe, prevented by setting content-security-policy: frame-ancestors 'none'. This prevents clickjacking while working within the Console or Studio. As far as authentication, cookies are secure-only and have a Same-Site: Lax security policy.
To protect against clickjacking when inserting your apps into an iframe, you must explicitly allow specific target domains if you want to embed your Airkit app. The default content-security-policy only allows apps to be embedded in the Studio/Preview and (if applicable) Airkit portals. The “Embedded External Content” control sets the iframe sandbox property to allow-scripts allow-forms to provide a balance of functionality and security. Content embedded within an Airkit app may not modify the parent frame. Any application authentication cookies are secure-only and have a Same-Site: Lax security policy.
Airkit limits the risks of CSRF attacks in a variety of ways. Authentication cookies require HTTPS, are inaccessible from Javascript (http-only), and have a same-site: lax policy. All API requests contain an XSRF-Token to prevent to prevent cross-domain form submission. GET requests never modify data.
When an Airkit organization is provisioned, you have the ability to select a realm for where your data resides. If you select an EU realm, your data will stay within the EU-Central-1 AWS region. Please note that as a developer you have the ability to call APIs and copy data globally, the realm constraint ensures that Airkit will not move your data or processing outside of that region.
Airkit allows app users to be authenticated via as well as multiple OAuth 2.0 venders, including , , and . All available OAuth app authentication options adhere to the Open ID Connect spec. When verification succeeds and the user provides consent, the user information can be surfaced via the On Authentication Success Event, and he JWT from the vendor remains in the browser as a cookie.
Customer can bring as many domains () as they want. App isolation is essentially enforced at a domain level, so you can set up apps on their own subdomains if needed. The app developer has full control over where APIs and/or Apps live and which domain they're on.
When embedding your Airkit apps into your existing digital portfolio, CORS must be done on an application-by-application basis. Target hostnames are defined under Studio > Settings > Target Names. When using , these target hostnames will be applied only if Enable CORS (found under Studio > Triggers > SDK > Authentication) is checked, which is done but default upon the creation of an SDK Trigger. For more on how this is implemented, see the .
When an is provisioned, the organization and all assets pertaining to that organization are stored in a that is selected at purchasing. These realms include United States (us-west-2), Australia (ap-southeast-2), and the EU (eu-central-1). If you are not sure what realm an Airkit Organization is provisioned in, please reach out to your sales representative or reach out to support@airkit.com.
Airdata is encrypted at rest, encrypted in transit between systems and encrypted on the server itself. Our online infrastructure is built on Amazon Web Services, and Airkit maintains a SOC2, PCI, HIPAA and other controls that cover the service's security, confidentiality, availability, and integrity. For more information, see .
Data stored in Airdata is retained unless it is manually deleted. Session data, on the other hand, is stored for the length of the session duration. Session duration is configurable by the user in configuration builder and can also be extended by using the .
When an Airkit organization is provisioned, you have the ability to select a realm for where your data resides. If you select a US realm, your data will stay within the us-west-2 AWS region, and ensures that Airkit will not move your data or processing outside of the US realm. As a developer, you also have other tools available to help you build applications to help meet HIPAA requirements. Airkit supports , using Airkit's default keys or you can bring your own key, along with data tagging in AirData. There is also the so that inputs can only be accessed server-side and not saved on the browser as well as the .
Data that is input on the client is saved on the browser. If using the , the values input into that control are not surfaced on the browser. Using the secure text input control generates a secureValueKey that can be accessed through a data flow using the .
Assets in Airkit are uploaded to Amazon S3, in a separate bucket per org, per application. Assets can either created as a global asset or a private asset. Global assets are available on the CDN with a static link. Private assets have a generated link and has an expiration time which is configurable. See for more information.
Secure data can be handled by using the , , or by using PCI compliant controls such as the or the .
When using the , emails get routed through Amazon SES and do not sit on Airkit servers. Mailboxes are also not hosted by Airkit and receiving emails are the responsibility of the mailbox owner.
The best way to ensure TCPA compliance when building out an application, is to first be able to extract a user's state and timezone locale. The best way to do this, is to ask for a user's zipcode, and use a zipcode lookup API to extract state and timezone. Using this information, chat/voice bots can be triggered on that can be restricted to only run based on a TCPA calendar. The calendar restriction must be to either Do not schedule and cancel or Schedule in next available time slot. For more information on TCPA, see .
When building a PCI compliant app, ensure that no sensitive data is saved on the client. Data that is deemed sensitive should use the , and pass that data to be retrieved server side, through a data flow. Also, data that is passed to the data flow should not be returned as an output, or else the application is no longer PCI compliant. Also, when capturing credit card information, Airkit has PCI specific controls that are PCI compliant out of the box, such as and the .