Security considerations

Security remains the top priority when it comes to online financial transactions.

Integration

To ensure that exchanges between the merchant and HUB2 remain confidential, and that only the merchant is at the origin of the transactions (and therefore of the amount and other properties of these transactions), the integration of the API must only take place on the server side.

Sensitive data, such as API keys, must never be disclosed, whether on a website or in a smartphone application.

This approach strengthens security by avoiding direct exposure of API keys and sensitive information on the client side. By performing transactions on the server side, the risk of malicious attacks, such as client-side data manipulation, is considerably reduced.

CORS

To protect against potential client-side integrations, the HUB2 API is set up so that it can never be loaded from the end-client’s browser.

In other words, the HTTP headers for cross origin resource sharing (CORS) have been correctly set.

Signature

To enhance the security and integrity of API interactions, an optional payload signature mechanism is available. This feature enables merchants to cryptographically sign the JSON request body sent to the API. By verifying this signature, it can be ensured that the data has not been tampered with in transit and originates from a trusted source. This added layer of security is particularly valuable for sensitive financial transactions.

Check out the integration page to understand how to use out.