Since these REST APIs available in Signer.Digital Webserver takes complete PDF file for signing, the response may be somewhat slower than native component. Also it has to be kept in mind from the Security and PDF Document protection perspective that the Server hosting service receives complete PDF file for signing and not just the HASH; but this is okay if the application generating pdf and this service, consuming pdf for signing, is on same hardware or in same internal network, fully owned by the Organization.
Security Features in Signer.Digital Webserver:
Uses JWT (JSON (JavaScript Object Notation) Web Token) token for API authentication with configurable expiry duration.
JWT secret is not stored in plain text on the server but stored encrypted on the server and machine specific data protection provider with 90 days automatic key rotation is used for encrypting the same.
Thus JWT secret, used to sign Auth Tokens, would be decryptable only on the server from the specific application and not from other application or server.
User password is not stored in plain text but cryptographically.
Sensitive data like PIN, passwords and pfx signature files are stored encrypted in database. Encryption key is stored securely in environment variables.
Database password is encrypted before storing in config file or may be moved to Environment Variables.
Web application has captcha and uses Secure cookie based authentication and all posts are verified for Anti-forgery Token to prevent XSRG/CSRF attacks.
Generally known Headers required to enhance security are added.
