Hardening client access

Suggest Edits

When your client side application is integrated with Stigg, it uses the Client API key which is publicly accessible to anyone. While the Stigg backend limits the access for that API key to the minimum, some sensitive data may still be accessible for a malicious actor (e.g. by guessing customer ID).

It is highly recommended to enable security hardening for Client API key, in order for Stigg backend to verify the identity of the requests originated from your client-side application.

Customer identity is signed using HMAC SHA256 algorithm.

How does hardening work?

As a prerequisite, inject a signing secret obtained from Stigg into your backend application.

When a user login into your application (step 1), your backend application should create a customer token (step 2) and return it as part of the response (step 3).

When initializing Stigg client on the frontend, provide the customer token as well, which will be sent automatically to Stigg backend upon every request (step 4).

Stigg backend would verify the customer identity using the provided customer token.


How can I enable hardening?

  1. Ask Stigg Support to provide you with the signing secret for the environment that you would like to turn on the hardening.
  2. On your backend application:
    1. Find the handler for that provide the user identity to the client side.
    2. Add to the response additional field with the customerToken that sign the customer using the signing secret, for example:
import { createHmac } from 'crypto';

export function createCustomerToken(customerId: string, signingSecret: string): string {
  const signature = createHmac('sha256', signingSecret).update(customerId).digest('hex');
  return `HMAC-SHA256 ${customerId}:${signature}`;
}
  1. On your client application, pass the customerToken:
import { useStiggContext } from '@stigg/react-sdk';

function App() {
  const { stigg } = useStiggContext();

  useEffect(() => {
    // After user sign in call to setCustomerId
    stigg.setCustomerId('customer-ID', 'customer-Token');
  })
}
  1. Ask Stigg Support to enable the hardening enforcement for the environment.

Updated 3 months ago