In order to enforce security while accessing API, we can follow the ‘Salesforce Security Guidelines’

If we want to access our own website hosted within Salesforce Tab, then we may need to validate if the Origin of Request is Salesforce :http://uat.myapp.com/secure_access/validate.php?location={!API.Partner_Server_URL_220}&session_id={!API.Session_ID}

1. Verify if SessionId is valid by making a reverse call

2. Verify Web Request (LoadBalancer and Application level)

Vulnerability Protection : (http://wiki.developerforce.com/index.php/Secure_Coding_Single_Sign_On )

Below is the regular expression to validate legitimate API Partner Server URL servers:

To summarize the above regular expression, it ensures that the URL starts with ‘https://’, followed by a character other than ‘/ ‘ or ‘?’ for 1 or more times, followed by a ‘.’, followed by ‘sales’ or ‘visual.’ followed by ‘force.com/services/SOAP/’, followed by ‘u’ or ‘c’, followed by ‘/’. This will allow:

3. User Authorization :

(not sure if we have access to all users registered through the trialforce – allowing us to validate the user-id)

http://wiki.developerforce.com/index.php/Single_Sign_On_for_Composite_Apps

 4. Enable SSL in our web server.

 5. Use SalesForce Certificate :

This certificate is meant to identify that the request is coming from salesforce.com, not a specific user.

http://www.salesforce.com/us/developer/docs/api/Content/sforce_api_om_outboundmessaging_setting_up.htm#om_user_profile

Your application (endpoint) server’s SSL/TLS may be configured to require client certificates (two-way SSL/TLS), in order to validate the identity of the Salesforce server when it takes the role of client to your server. If this is the case, you can download the Salesforce client certificate from the Salesforce application user interface.

6. Enable SSO (in future) :

As per SalesForce : –  https://na7.salesforce.com/help/doc/en/sso_delauthentication_configuring.htm

Use – Delegated Authentication WSDL

If Single Sign-On (SSO) is enabled for your organization, users who access the API or a desktop client cannot log in to Salesforce unless their IP address is included on your organization’s list of trusted IP addresses or on their profile, if their profile has IP address restrictions set. Futhermore, the delegated authentication authority usually handles login lockout policies for users with the “Uses Single Sign-On” permission. However, if the security token is enabled for your organization, then your organization’s login lockout settings determine the number of times a user can attempt to log in with an invalid security token before being locked out of Salesforce. For more information, see “Setting Login Restrictions” and “Setting Password Policies” in the online help.

More details : http://www.salesforce.com/docs/developer/cookbook/Content/sso_delegated.htm

 7. Broad Topics on application security :   http://wiki.developerforce.com/index.php/Apex_and_Visualforce_Security_Tips

Advertisements