Security Best Practises
Overview
This documentation aims to cover security best practises when working with Algolia. Most of these are standard practise but I will also include security between applications.
Two-factor authentication
All users with access to your account should enable two-factor authentication.
Secure API keys
Algolia has a few predefined API keys and lets you create new keys with detailed access control lists (ACL). Set restrictions on keys to limit user access and prevent data crawling. Algolia securely generates and encrypts keys, but they must be handled responsibly.
- Don’t use write-access keys in frontend code or mobile apps.
- Use environment variables for API keys in your code instead of hardcoding them.
Admin API key
Our account’s admin API key gives access to everything in the account, including all indices. The admin API key should never be used in production.
Rotate keys
Regenerate all API keys at least once a year. This provides extra security if an API key leaks, is misused, or is required for compliance purposes. For sensitive apps, rotate your keys more often. One year should be the maximum lifetime of an API key.
Sensitive information
Algolia follows best practices to ensure that data is secure and isolated from the data of other Algolia users. To prevent access from unauthorized users, Algolia provides these features:
- Secured API keys with access restrictions
- unretrievableAttributes
- Algolia Vault
Follow these steps when dealing with sensitive information:
- Don’t use sensitive data in metadata. Some metadata is stored in logs.
- Don’t use sensitive information in an index name. Index names are public, because they appear in network requests.
- Don’t use personally identifiable information as userToken parameter in search requests.
unretrievableAttributes
This is a list of attributes you don’t want the engine to retrieve at query time.
Preventing particular attributes from being retrieved may be particularly important for security or business reasons. Some attributes may be helpful for ranking or other technical purposes but should never be seen by your users, for example, total sales, permissions, and other private information. We should consider not including information that would require the unretrievableAttributes parameter. Bare in mind this setting is ignored if the query is authenticated with the admin API key.
Algolia Vault
Algolia Vault gives you an extra level of security and control over your data, beyond typical use-cases. Algolia Vault exists to meet strict technical or compliance requirements that call for disk encryption and restricted access.
At its core, Algolia Vault provides two things:
Advanced Encryption Standard (AES), specifically AES-256, for disk encryption at rest, with per-server keys. Configurable firewall to restrict access to specific IP addresses.
Block IP addresses
If we experience an unexpected increase in query operations, there may be issues with our implementation, but it could also be due to users or bots sending many requests to search.
Consider blocking specific IP addresses that make too many API requests.
Content security policy
Content security policy (CSP) is an HTTP response header that lets you restrict allowed resources and domains. When you’re implementing CSP, use the following policy for Algolia:
connect-src https://*.algolia.net https://*.algolianet.com https://*.algolia.io;