Application Security Policy
- DarkLight
Application Security Policy
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
This guide provides an overview of Yotpo's application security policy and practices.
Authentication
Yotpo offers two primary system authentication methods:
API Authentication
Each and every Yotpo account possesses two randomly-generated unique keys:
| Key | Description |
|---|---|
| App Key | Public key and unique account identifier e.g. i23elSptdIyrsWX1wDwkgWjEFGtjQit0AgXdCLLz |
| Secret Key | Secret unique identifier key available exclusively to the Yotpo account administrator e.g. Qcca8nS3nhS2WbeN9bnITltBF67ZaHpSlba3Ckdd |
Using the App Key and Secret Key, Yotpo users can generate their uToken (API Token) which is required to perform most actions via the Yotpo API.
- The API Token provides access to a specific account.
- The API Token expires 30 days after its creation unless it re-authenticated.
Need help finding your App Key and Secret Key?
Click here to learn more about Yotpo's unique account identifiers.
Email & Password Authentication
Each Yotpo user must provide an account email address and create a password to be identified within the Yotpo system. Yotpo employs strong password requirements where each password must consist of the following:
- At least 8 characters
- At least 1 uppercase letter
- At least 1 lowercase letter
- At least one numeric digit
Upon creation, login credentials are encrypted and stored within Yotpo’s database to ensure the highest degree of PII security.
Users are required to provide their account email address and password in order to log in to the Yotpo Admin at yap.yotpo.com and each session remains active for XXXXX hours before a timeout and session expiry occurs. A CAPTCHA challenge-response mechanism is integrated into Yotpo's login pages to help protect against unauthorized account access and hacking attempts.
Once logged in to the Yotpo system, end-users may access all accounts (eCommerce stores) associated with their user instance, with the appropriate account privileges as designated by the Yotpo account administrator.
Authorization
Different actions in the Yotpo system require different permissions. There are three user types in Yotpo:
In order to perform different actions in the Yotpo back office system require the appropriate roles and permissions must be set.
There are three user types in Yotpo:
Reviewer
Reviewers have access only to public information and public API calls. Reviewers cannot login to the Yotpo admin or authenticate using the Yotpo API.
Account Administrator
Account administrators are usually the account owner and have full access to the account they own. The Account Administrator can log in to the Yotpo Admin and authenticate using the Yotpo API App KEy and Secret Key.
Account Moderator
Moderators have limited access to the account. Permissions are set by the account owner. Once authenticated by Yotpo using one of the methods described in Authentication, a user is authorized to specific actions in relation to the privileges he has on the account.
Once authenticated by Yotpo using one of methods described in the Authentication section, a user is authorized to specific actions in relation to the privileges he has on the account. Every non-public action in the Yotpo System requires the user to have the correct set of permissions. For example, a store owner can publish/unpublish a review however only for the accounts he is the owner of.
Communication and Data in Transit
Secure Socket Layer - SSL
Yotpo supports communication over SSL protocol to ensure encrypted communication over the internet. This connection uses TLS 1.2 with 128-bit encryption.
HTTPS requests can include:
- All activities performed through the Yotpo Admin
- API requests
- All widget requests performed on secure pages
CSRF Mitigation
Yotpo protects against CSRF attacks by means of CSRF tokens included in all forms and AJAX requests.
Was this article helpful?
