Skip to main content

Best practices

In this section:

Following are some guidelines for best practices.

Sensitive data

As with any third-party service it’s important to understand what data is being sent to Controlant, and ensure sensitive data either never reaches the Controlant servers, or at the very least sensitive data is not stored.

We recommend filtering or scrubbing sensitive data prior to transmission, so that data is not sent to Controlant.

We also recommend configuring server-side scrubbing to ensure the data is not stored.

There are two great examples for data scrubbing that every company should think about:

  • PII (Personally Identifiable Information) such as a user's name or email address.

  • Authentication credentials, such as tokens and passwords.

Restricting emails

It’s common that compliance within your company may mean that data can only be transmitted over SSL and stored in a secure manner. One common area this comes up is with email notifications.

By default Controlant will send a large amount of data as part of the issue notification. In some cases this data may be geo-location data or other user data.

We advise you to consult your compliance officer or IT department regarding your company's compliance rules and then get in touch with your Controlant Customer Success Manager to solve any compliance related issues.

API key management

Keeping your API keys secure

When you use API keys in your applications, take care to keep them secure. Publicly exposing your credentials can result in your account being compromised, which could lead to unexpected charges on your account. To help keep your API keys secure, we recommend these best practices:

Store API keys / secrets safely

  • Do not embed API keys / secrets directly in code.

  • Do not store API keys / secrets in files inside your application, including the application’s source tree.

  • If you do accidentally commit an API key / secrets to version control, revoke the API key immediately and generate a new one.

  • Ensure API keys / secrets do not appear in URLs or anywhere that can be captured in web server logs.

  • Review your code carefully and ensure it doesn’t contain API keys / secrets or any other private information before publicly releasing it.

  • Put the configuration file containing the API keys / secrets in the revision control ignore (e.g. .gitignore). This prevents accidentally committing them in the future.

Limit the usage of API keys / secrets

  • Restrict your API keys / secrets to be used by only the IP addresses, referrer URLs, and mobile apps that need them.

  • Don't share your API keys / secrets with different applications.

  • If more than one application uses the same API, register each application to get a new set of API keys / secrets.

Update API keys / secrets

  • Delete unneeded API keys / secrets.

  • Update (rotate) your API keys / secrets periodically.

System health status

You can automatically check the health status of the Controlant Integrations API system by querying the /health endpoint. This endpoint will return back a simple response indicating whether the system is healthy and ready to receive connections or down:

Request

UAT health endpoint

$ curl -i <https://integrations.uat.controlant.com/health>

LIVE health endpoint

$ curl -i <https://integrations.controlant.com/health>

Response

< HTTP/1.1 200 OK
< Date: Wed, 29 Jan 2025 13:34:05 GMT
< Content-Type: text/plain
< Server: Kestrel
< Cache-Control: no-store, no-cache
< Pragma: no-cache
< Transfer-Encoding: chunked
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< x-correlation-id: 8b18a9f3-3459-438c-aac7-929fb0b08fbf
<
Healthy*