Skip to main content

Security Best Practices

Ensuring security when integrating with the Riyadh Parking API is crucial to protect sensitive data and prevent unauthorized access. Follow these best practices to safeguard your system.
Security is a shared responsibility. Implementing these best practices will help protect your integration from potential vulnerabilities.

1️⃣ Secure API Credentials

  • 🔒 Use environment variables to store sensitive credentials (Client ID, Client Secret).
  • 🔒 Restrict access to API keys by implementing role-based access control (RBAC).
  • 🔒 Rotate API keys regularly to minimize the risk of exposure.
Storing credentials securely in a .env file:
  CLIENT_ID=your-client-id
  CLIENT_SECRET=your-client-secret

2️⃣ Enforce HTTPS for All Requests

Ensure all API requests use HTTPS to encrypt communication and protect against man-in-the-middle (MITM) attacks.
Use HTTPS:
  curl -X GET "https://{riyadh-parking-api}/sites/public/site-capacity"

3️⃣ Implement Token Expiry Handling

Access tokens expire after a set duration. Always implement logic to refresh tokens before they expire. Recommended Flow:
  1. Store token expiration timestamp when receiving an access token.
  2. Refresh the token when it’s about to expire.
  3. Retry failed requests due to expired tokens.
Use the Refresh Token API to obtain a new token without requiring user credentials.

Refreshing Tokens

curl -X POST "https://api.riyadhparking.com/auth/public/refresh" \
  -H "Content-Type: application/json" \
  -d '{ "refreshToken": "your_refresh_token" }'

4️⃣ Protect Against API Abuse

  • Rate Limiting: Limit API requests per user to prevent abuse.
  • Monitor API usage: Keep logs of failed login attempts and suspicious behavior.
  • Restrict IP Access: Use allowlists to block unauthorized IPs.

5️⃣ Secure User Input

Validate all incoming requests to prevent SQL injection, XSS, and request forgery (CSRF).
Sanitize user input before processing:
  const sanitizedInput = input.replace(/\[^a-zA-Z0-9]/g, "");