Best Practices for Secure Applications

Back to top

At HP we take our member's privacy very seriously. When we grant developers API access, we expect them to take member privacy as seriously as we do. By using the OAuth 2.0 authentication protocol we allow an application to access Analytics data while protecting the member's credentials. Using this protocol allows applications on our platform to be safe and easy to use for our members; however, there are some security steps that you as a developer will have to take to get a secured experience. 

Please read the following guide and make sure that your application follows these best practices.

 

 

Reset the Client Secret associated with your Client ID

 

HP recommends that the Client Secret value associated with your Client ID to be reset every 90 days. Please record the start and end dates, so that you are aware of the client secret's period of existence. If the Client Secret value is close to 90 days of life span, please reset the Client Secret value and update your application. Please update your Client Secret value in the following situations:
● Your current Client Secret age is close 90 days.
● The security of your Client Secret value is compromised.

 

To refresh client secrets:

  • Click Login to login to HP Developers portal using your Proactive Management login/password. If you do not yet have an account on HP Developers portal, click the Register link to create an account.
  • Expand the drop-down menu under your email address, and click My Apps.
  • Open your app.
  • Click Reset Secret.

 

 

Access Tokens

 

Access tokens allow a developer to access analytics data through our API. To keep them safe do not store them in insecure locations or locations that are easily accessible.
Client side files, such as JavaScript or HTML files, should never be used to store sensitive information, as these can easily be accessed. You should also not store access tokens in code files that can be decompiled like Native iOS, Android, or Windows Application code files. When making calls to the HP Analytics API, access tokens must always be passed over a secure (HTTPS) connection.
A developer should always request the minimal scopes necessary and only request permissions that are needed for application functionality.

 

 

API Key & Secret Key

 

When making calls to the Analytics APIs you use two pieces of identifiable information: the API Key (sometimes called the Client ID) and the Secret Key (or Client Secret).
The API Key is a public identifier of your application and the Secret Key is confidential and should only be used to authenticate your application on the Analytics APIs.
Since both the API Key and Secret Key are needed together to confirm your application’s identity, it is critical that you never expose your Secret Key.  Remember that when exchanging an OAuth 2.0 authorization code for an access token, the Secret Key is passed as part of the request. Do not expose this request publicly.

 

 

Secure endpoints

 

To prevent others from reading your requests and man-in-the-middle attacks, all requests to our authentication servers must be done over HTTPS. It is also strongly recommended that your application be hosted on a secure server, particularly for any pages where a member enters private information (such as their password for your site) and for any URLs where you ask HP DaaS to redirect the member as part of the OAuth authorization flow.
The use of HTTPS is required for OAuth 2.0 requests.

 

 

Phishing prevention

 

Cyber-criminals often create websites that look and feel authentic but are really fake replicas with the intention to steal user credentials. Educate your users to look for these signs to ensure they are entering credentials for a real HP DaaS application. Note that browsers may look different and sometimes this may not be enough to differentiate from phishing sites. When in doubt, alert users to not enter credentials and contact you when they suspect suspicious activity.
 
 

Cross-site request forgery

 

To protect against CSRF during authorization, you need to pass a state query parameter. This should be a unique string value (for each request) that is difficult to guess and it should not contain any private or sensitive information.
Sample state value

state=760iz0bjh9gy71asfFqa

 

Upon successful authorization, the redirected URL should look like:
Sample callback url

https://OAUTH2_REDIRECT_URI/?code=AUTH_CODE&state=760iz0bjh9gy71asfFqa

 

Ensure that the state parameter in this response matches the one you passed in your authorization request. If the state does not match, that means the request may be a result of CSRF and must be rejected.

 

 

Third-Party Libraries

 

When using a third party library to interact with HP DaaS, use your best judgment to ensure that library is from a trusted source. Read their reviews, glance over the code, and do some background research to make sure it is not malicious or has some unexpected behavior. HP DaaS does not officially support any third party library, so if you run into any technical questions or concerns please contact the library’s development team directly.

 

 

Error Handling

 

Due to the nature of cloud APIs, services can be temporarily unavailable due to reasons outside of your or HP DaaS's control. You should assume that any call you make to HP DaaS or any third party API may not work and always include error-handling logic in your requests. This can include any request such as:
 
GET https://daas.api.hp.com/oauth/v1/authorize

 

POST https://daas.api.hp.com/oauth/v1/token