Security Best Practices
1. Protect Your API Keys
❌ Don't:
- Hardcode keys in code
- Commit keys to version control
- Share keys in plain text
✅ Do:
- Store keys in environment variables
- Use key management tools (AWS Secrets Manager, HashiCorp Vault, etc.)
- Rotate keys regularly
java
// ❌ Wrong
private static final String API_SECRET = "MpkvVlXvYTZVPPJ0LReNA-g_yC7V7foe4UAj7tgWJSM";
// ✅ Correct
private static final String API_SECRET = System.getenv("STABLEPAY_API_SECRET");2. Use HTTPS
Production environments must use HTTPS:
java
// ❌ Wrong (testing only)
private static final String BASE_URL = "http://api.paystablecoin.global";
// ✅ Correct (production)
private static final String BASE_URL = "https://api.paystablecoin.global";3. Implement Retry Logic
Handle temporary network failures:
java
int maxRetries = 3;
for (int i = 0; i < maxRetries; i++) {
try {
HttpResponse<String> response = httpClient.send(request, ...);
return response;
} catch (IOException e) {
if (i == maxRetries - 1) {
throw e;
}
Thread.sleep(1000 * (i + 1)); // Exponential backoff
}
}4. Log Signature Details (Development Only)
In development environments, log signature components for debugging:
javascript
console.log('=== Debug Info ===');
console.log('Timestamp:', timestamp);
console.log('Method:', method);
console.log('Path:', path);
console.log('Body hash:', bodyHash);
console.log('Signature string:', stringToSign.replace(/\n/g, ' | '));
console.log('Signature:', signature);⚠️ Production environments must not log sensitive data (API keys, signatures).
Related Documentation
- Common Errors and Solutions - Check common error handling
- Testing Checklist - Check pre-launch checklist