Before going live, we'll review your integration to make sure there are no hiccups when moving to production (see our checklist to prep for your code review).
Additionally, we'll pen test your platform when you go live to identify security vulnerabilities. (You'll receive a security report with a list of vulnerabilities and how to fix them).
Security Best Practices:
Below are a few steps to take to reduce your security risks.
1) Make sure your site is secure (We require SSL Certificates). Send us your SSL labs report.
2) Use HMAC for Webhooks -- This lets you verify the authenticity of the payload (so you know it's from Synapse)
3) Securely store & encrypt client_id & client_secret (Here's a suggested way to do so)
4) Don't create passwords when you create a Synapse user. (Passwords are only needed for users that will login to Synapse's dashboard)
5) Don't store account & routing numbers or online banking logins.
6) Make sure your website is not susceptible to clickjacking, XSS and CSRF.
7) Never expose admin operations on public facing endpoints (ex: Have your platform's admin login on a non-public facing domain)
8) Protect your platform from brute force attacks (ex: set maximum password attempt limit on admin dashboard).
9) Protect your platform from DOS attacks (ex: set maximum password length on admin dashboard).
10) Protect your admin dashboard with 2 Factor Authentication, Device Fingerprinting & VPN Protection
If you have concerns about your specific implementation, we're happy to discuss ways to further secure your integration and payment flow. Reach out to us at firstname.lastname@example.org.