Security Settings

📘Note:
The current security settings are only valid for the HTTP interface.

Allowlists

You can use the following project-specific security settings to better control how your API Keys are used:

AllowLists - set limits on request types that are allowed

JWT - Authentication

AllowList User-Agents

If you are distributing products embedded with API keys and can set up custom User-Agent (e.g. an Electron app, iOS or Android app), then we would recommend adding the known User-Agent to your allowlist. When a User-Agent is added to the allowlist, any API requests originated from other platforms will be rejected.

User-Agent allowlist utilizes partial string matching. If a string that is allowed to list exists in the request's full User-Agent, it is registered as a match.

Example:

AllowList Origin

To prevent unauthorized third parties from using your API key on their websites, you can specify an allowlist of HTTP Origins permitted to send requests. For instance, if your application is deployed to mydapp.example.com, adding mydapp.example.com to the HTTP Origin allowlist ensures that any HTTP requests not originating from this domain will be rejected.

Similar to TLS certificates, HTTP Origin matching supports wildcard subdomain patterns. You can use a wildcard (*) as the left-most subdomain to match any subdomain. This wildcard can only appear in the left-most position of an entry.
The URL schema (e.g., http://, https://) is optional in the allowlist entries. If a schema is included, requests must originate from an HTTP Origin with the same schema. An entry with a single schema will restrict requests to Origins matching that specific schema.

AllowList Contract Addresses

If your application will only query data from specific smart contracts or address sources, you can enhance security by adding those addresses to your Contract Address Allowlist. Once an address is added to the allowlist, any API requests involving query addresses outside this list will be rejected.

The following interfaces utilize contract address parameters:

/v1/contracts/contract_address/events
/(event)|(events)/contract/contract_address
/(event)|(events)/contract/[a-zA-Z0-9]+/[a-zA-Z0-9]+
/(event)|(events)/contract/[a-zA-Z0-9]+/[a-zA-Z0-9]+/[a-zA-Z0-9]+
/walletsolidity/triggerconstantcontract
/wallet/triggersmartcontract
/wallet/triggerconstantcontract

Example:

JWT

What is JWT:
Json Web Tokens (JWT) is an open standard for JSON to transfer claims between web application environments. JWT statements are generally used to pass authenticated user identity information between identity providers and service providers.
How to use JWT
If the JWT switch is on, each request needs to include token information for PolluxChain to verify. Requests that failed the verification will not be responded. Each account can create up to 3 JWTs. When creating a JWT, the public key created by the user is required (RS256 is now supported). ID and Fingerprint will be generated after the public key is filled in.
Example

1.Generate RSA key pair
In order to use JWT in the project, you need to generate a public/private key pair first. Pollux Chain currently supports the algorithm RS256. Please make sure you keep the private key secret!

You need to enter an easy-to-understand name to identify the key and the text in the key file. It should be a PEM-encoded file (for example, generated by OpenSSL). It usually looks like this:

2.Generate token
Method 1: Java code
Import the jjwt package

Call createSignedJwtRsa256 to generate token

Method 2: Jwt website

Go to the website: https://jwt.io/

Select RSA256 algorithm

Enter header， kid is the id of JWT; after adding JWT to the key, view it from the key configuration

{  "alg": "RS256",
   "typ": "JWT",
   "kid": "XXXXXXX" // id of jwt
}

Enter payload，If exp has no expiration time, you can leave it blank

{
   "exp": 1617736153,
   "aud": "poxscan.io" 
}

In VERIFY SIGNATURE, enter the public key and private key respectively.

In ENCODED, you can see the generated token.

Allowlists#

AllowList User-Agents#

AllowList Origin#

AllowList Contract Addresses#

JWT#

Allowlists

AllowList User-Agents

AllowList Origin

AllowList Contract Addresses

JWT