Endpoint security

Last updated: July 9, 2025

Edit on GitHub

Out-of-the-box security features

Basic authentication

Spryker offers built-in support for Basic Auth on both REST and Glue APIs. You can configure it to restrict access to sensitive endpoints or entire services.

Further Reading: Configure basic .htaccess authentication

IP whitelisting

Spryker allows you to set up IP allowlists at the web server (for example Nginx) or infrastructure level (for example AWS Security Groups, Cloudflare rules) to limit access to known, trusted sources.

Further Reading: Configure access to applications in maintenance mode

HTTPS enforcement

While not specific to Spryker, it is recommended (and often defaulted via infrastructure) to serve all APIs over HTTPS to encrypt data in transit.

Best practices for secure integration endpoints

Use token-based authentication

Prefer OAuth2 or API keys with expiration and rotation over Basic Auth for better control and traceability. Glue APIs can be extended to support token-based schemes.

Further Reading: Glue API authentication and authorization

Limit access scope

Apply the principle of least privilege: expose only the endpoints and data required for the specific integration.

Create custom API roles for partners with fine-grained access control.

Logging and monitoring

Log all API access errors with details (timestamp, IP, headers, payload).
Monitor unusual patterns and set up alerts for suspicious behavior.

Further Reading: New Relic transactions grouping by queue names

Further Reading: OpenTelemetry instrumentation

Input validation and sanitization

Ensure all incoming data is strictly validated to prevent injection attacks or malformed payloads.

Was this article helpful?

Tell us what could be better

Name (Optional)

Email (Optional) Invalid email format.

Type your thoughts here

We appreciate the time you took to share the feedback
and will consider it as soon as possible.