Security
Security requirements and best practices for SecureSign integrations.
PIN Handling
- DSC PIN is entered only inside SecureSign Mobile App or Desktop Software UI
- Never collect PIN in HTML forms, WebView JavaScript, or server-side code
- Never log PIN, hash of PIN, or session tokens containing PIN-derived material
HTTPS & Transport
- All production callback URLs must use HTTPS
- REST API calls must use TLS 1.2+
- Desktop Software is launched only via
securesign://deep link — browsers never call a local HTTP port
API Key Storage
- Store API keys in server environment variables or secrets manager
- Never embed live keys in client-side JavaScript shipped to browsers
- Use short-lived server sessions for browser signing; proxy signing requests through your backend
- Rotate keys immediately if compromised via Admin Console
Audit & Compliance
Submit audit events via Audit Logs API for tamper-evident compliance records. SecureSign supports CCA guidelines for Class 2 and Class 3 DSC operations.