Security issues and best practices
Here are some rules to follow when working with Bold360 AI APIs.
- Use HTTPS, not HTTP.
- When working with API keys:
- Create API keys that have only enough privileges to accomplish the actions that will be performed with that key.
- Create multiple API keys. That is, create a read-only key for users who will not perform write actions. Create a separate API key for users with more privileges.
- Limit the number of API keys that have read-write access to specific knowledge bases. Tightly control the IP addresses and referers that can use such keys.
- Consider using an API gateway where the API keys will be added to valid requests from clients before being passed to the Bold360 AI server.
- Schedule regular updates to API keys that have write access.
- When working with Session IDs:
- The lifetime of a session ID is short--the default is 3 minutes. This builds in security.
- Session IDs are used with REST API endpoints that read from the knowledge base, not with endpoints that write to the knowledge base.