Security

Nitro supports server-side and client side API method calling. Nitro supports three security levels:

• Low - Disables login authentication and IP whitelist enforcement. Recommended for rapid prototyping in the sandbox environment, but typically should not be used for a production environment.
• Medium - Enables login authentication, which uses a timestamp and signature based on your secret key, and whitelist enforcement, which requires the user to log in from a known whitelisted IP address to execute write API calls. Recommended for most deployments.
• High - Uses the same security features as medium security, and also requires all HTTP API calls to use SSL. Required for programs with an Award Account.

Anything calling API methods that write data, not just read data, with medium or high security must be whitelisted. This increases security by ensuring only whitelisted servers can make write calls.

Keys

Bunchball provides the API Key and Secret Key you need to call APIs, embed web components and blocks, and so on. Your API Key is public and anyone can see it. However, your Secret Key should never be shared or included in any code that is sent to a user's client (HTML page, etc.). If your Secret Key is lost or compromised, immediately request a new one. Both keys are viewable in Nitro Studio (Configuration > Site Settings > Overview).

Nitro IP Addresses

Nitro's outbound traffic is routed through the following IP addresses. Make sure your firewall does not block these addresses.

• QA: 34.208.234.127
• Sandbox/Production: 52.41.137.115, 52.35.155.149, and 52.42.40.97

Nitro has elastic load balancers (ELBs) in front of all of our apps, so pinning to specific IP addresses subverts the high availability (HA) of the instances behind it. In general, AWS IP ranges broadly can be used from this URL: https://ip-ranges.amazonaws.com/ip-ranges.json, but this is not recommended for firewalling. The applicable service would be EC2.

The domain api.bunchball.com will always point to the ELB for the API. Trusting that DNS is the most beneficial as that will always point to the latest ELB or application instances.

IP Whitelisting

To whitelist your IP address, you need to obtain your IP address(es) as seen by the Nitro server.

• If your server has a fixed IP address, use the command 'ipconfig' (Windows) or 'ifconfig' (UNIX, Linux, or Mac) to retrieve your IP address.
• If you are developing from a laptop/workstation with a dynamic IP address, use http://whatismyipaddress.com to retrieve your IP address.

Configure Security

1. Open Nitro Studio > Configuration > Site Settings.
2. Click Security.
3. In the Security Level section, select the security level for your site.
   
4. In the Session Timeout section, define how long the session key should be valid. By default, the session key expires after 30 days. Note: The Reset to Defaults button can be used to reset security options without modifying the IP Whitelist and Content URLs settings.
5. In the IP Whitelist section, define the IP address(es) that are authorized to make write calls to Nitro:
   1. Click New.
   2. In the IP Address field, add a single IP address (for example, 192.168.0.1) or a range of addresses (for example, 192.168.0.1-100 or 192-195.168.0.1).
   3. Alternatively, in the Host field, you can add a host address that will be resolved to the appropriate IP address by the server.
   4. In the Permissions field, select the IP address(es) permission level.
      • user.logAction only - The IP address can only call the user.logAction method.
      • all writes - The IP address can call all write methods.
   5. In the Description field, add a description of the IP address(es) to help track your servers and third-party servers.
   6. Click Save.

See also

Site settings

Sandbox and production environments