Security Best Practices
Secure your Looping Binary integration with industry-standard security practices. Protect your users, data, and API credentials.
Critical Security Warning
Never expose your API keys, webhook secrets, or admin tokens in client-side code. Always keep sensitive credentials on your server and use environment variables.
API Key Security
✅ Do: Store in Environment Variables
.env
# Server-side environment variables
LB_API_KEY=lb_live_abc123xyz456
LB_WEBHOOK_SECRET=whsec_abc123xyz456
ADMIN_TOKEN=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...❌ Don't: Hardcode or Expose Keys
❌ NEVER DO THIS
// ❌ NEVER hardcode API keys
const apiKey = 'lb_live_abc123xyz456'; // BAD!
// ❌ NEVER expose in client-side code
fetch('https://api.loopingbinary.com/api/admin/mint', {
headers: { 'x-api-key': 'lb_live_abc123xyz456' } // EXPOSED!
});✅ Correct Usage
server.js
// Server-side only
const apiKey = process.env.LB_API_KEY;
app.post('/api/mint-coins', async (req, res) => {
// API key never exposed to client
const response = await fetch('https://api.loopingbinary.com/api/admin/mint', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'x-api-key': apiKey, // Secure on server
'Authorization': 'Bearer ' + adminToken
},
body: JSON.stringify(req.body)
});
res.json(await response.json());
});Authentication Security
JWT Token Storage
Store JWT tokens securely on the client:
- Use
httpOnlycookies for web apps (prevents XSS) - Use secure storage APIs on mobile (Keychain, Keystore)
- Never store in localStorage for sensitive apps
- Set appropriate token expiration times (7 days default)
Password Requirements
- Minimum 8 characters
- Mix of uppercase and lowercase letters
- At least one number
- At least one special character recommended
- All passwords are hashed with bcrypt (12 rounds)
Two-Factor Authentication (2FA)
Enable 2FA for admin accounts and sensitive operations. Contact us to enable 2FA for your organization.
Input Validation & Sanitization
Always validate and sanitize user inputs:
JavaScript
// Validate transfer amount
const validateAmount = (amount) => {
// Check if number
if (typeof amount !== 'number') {
throw new Error('Amount must be a number');
}
// Check if positive
if (amount <= 0) {
throw new Error('Amount must be positive');
}
// Check for reasonable limits
const MAX_TRANSFER = 10000;
if (amount > MAX_TRANSFER) {
throw new Error(`Amount cannot exceed $${MAX_TRANSFER} coins`);
}
// Check decimal places (max 2)
if (amount % 0.01 !== 0) {
throw new Error('Amount can have maximum 2 decimal places');
}
return true;
};
// Sanitize string inputs
const sanitizeReason = (reason) => {
if (typeof reason !== 'string') {
throw new Error('Reason must be a string');
}
// Remove HTML tags
reason = reason.replace(/<[^>]*>/g, '');
// Trim whitespace
reason = reason.trim();
// Check length
if (reason.length < 3 || reason.length > 200) {
throw new Error('Reason must be 3-200 characters');
}
return reason;
};Rate Limiting
Looping Binary implements rate limiting to prevent abuse:
| Endpoint Type | Rate Limit |
|---|---|
| Authentication | 10 requests per minute |
| Coin Transfers | 30 requests per minute |
| Admin Operations | 60 requests per minute |
| Read Operations | 100 requests per minute |
If you need higher limits, contact us at contact@loopingbinary.com
Security Checklist
- ✅ Store API keys in environment variables
- ✅ Use HTTPS for all API requests
- ✅ Validate all user inputs
- ✅ Implement rate limiting on your endpoints
- ✅ Use httpOnly cookies for JWT storage
- ✅ Verify webhook signatures
- ✅ Log all sensitive operations
- ✅ Rotate API keys regularly (every 90 days)
- ✅ Enable 2FA for admin accounts
- ✅ Monitor for suspicious activity
Security Incident Response
If you suspect a security breach:
- Immediately revoke compromised API keys
- Change all admin passwords
- Review transaction logs for suspicious activity
- Contact us at security@loopingbinary.com
- Document the incident details
- Notify affected users if necessary