Skip to content

Security: codeChap/zoho-analytics-api

Security

SECURITY.md

Security Guidelines

πŸ”’ Security Checklist for Zoho Analytics API Integration

Before Committing Code

  • No hardcoded credentials in any files
  • Environment variables used for sensitive data
  • Token files are gitignored (zoho_tokens.json, tokens.json)
  • Credential files are gitignored (.env, *.txt credential files)
  • No console output of sensitive information
  • Example values used in documentation (not real credentials)

Environment Variables

Use these environment variables instead of hardcoded values:

ZOHO_CLIENT_ID=your_client_id_here
ZOHO_CLIENT_SECRET=your_client_secret_here
ZOHO_ORG_ID=your_organization_id_here

Files That Must Be Excluded

The following files are automatically excluded via .gitignore:

# Tokens and credentials
zoho_tokens.json
tokens.json
.env
.env.local
.env.production
ZOHO-CLIENT-ID.txt
ZOHO-CLIENT-SECRET.txt
ZOHO-ORG-ID.txt

OAuth Security Best Practices

  1. Minimal Scopes: Only request necessary permissions

    'scopes' => [
    'ZohoAnalytics.data.all',
    'ZohoAnalytics.metadata.read',
    'ZohoAnalytics.embed.read',
    'ZohoAnalytics.embed.update'
]

  2. Secure Redirect URIs: Use HTTPS in production

    'redirectUri' => 'https://yourdomain.com/oauth/callback'

  3. Token Storage: Store tokens securely, never in version control

    // Good: Local file with proper permissions
$tokenFile = __DIR__ . '/zoho_tokens.json';

// Bad: Hardcoded tokens in code
$accessToken = 'hardcoded_token_here'; // ❌ NEVER DO THIS

API Security

  1. HTTPS Only: All API requests must use HTTPS
  2. Token Rotation: Implement automatic token refresh
  3. Error Handling: Don't expose sensitive information in error messages
  4. Rate Limiting: Respect API rate limits to avoid blocking

Deployment Security

  1. Production Environment:

    • Use environment variables for all credentials
    • Secure file permissions on token storage
    • Regular token rotation
    • Monitor API usage

  2. Development Environment:

    • Use separate OAuth applications for dev/staging/prod
    • Never use production credentials in development
    • Clear tokens when switching environments

Zoho-Specific Security

  1. Organization ID: Verify you're accessing the correct organization
  2. Workspace Permissions: Ensure users have appropriate access levels
  3. Domain Restrictions: Configure allowed domains in Zoho Console
  4. IP Whitelisting: Use IP restrictions where applicable

Code Security Patterns

βœ… Secure Pattern

// Load from environment with fallback
private function loadCredential(string $envVar, string $filePath): string
{
    $value = getenv($envVar);
    if ($value !== false && !empty(trim($value))) {
        return trim($value);
    }
    
    $fullPath = realpath(__DIR__ . $filePath);
    if ($fullPath && file_exists($fullPath)) {
        return trim(file_get_contents($fullPath));
    }
    
    throw new \RuntimeException("Credential not found for $envVar");
}

❌ Insecure Pattern

// Hardcoded credentials - NEVER DO THIS
$clientId = '1000.ABC123DEF456';
$clientSecret = 'hardcoded_secret_here';

URL Security

  1. Embed URLs: Have configurable expiry times
  2. Private URLs: Use secure random keys
  3. Shared URLs: Require authentication
  4. Domain Validation: Verify URLs are from expected domains

Monitoring and Logging

  1. Log Security Events: Authentication failures, token refresh
  2. Monitor API Usage: Unusual patterns or excessive requests
  3. Error Tracking: Monitor for security-related errors
  4. Audit Trail: Keep records of access and modifications

Emergency Procedures

  1. Credential Compromise:

    • Immediately revoke OAuth application
    • Generate new client credentials
    • Update all environments
    • Review access logs

  2. Token Leakage:

    • Revoke affected tokens
    • Force re-authentication
    • Check for unauthorized access

Security Testing

Before deploying:

  1. Credential Scan: Verify no credentials in code
  2. Permission Test: Confirm minimal required permissions
  3. Token Lifecycle: Test token refresh and expiry
  4. Error Handling: Ensure no sensitive data in error messages

Compliance Considerations

  1. Data Privacy: Follow GDPR/CCPA guidelines for data access
  2. Access Control: Implement role-based access
  3. Audit Requirements: Maintain access logs
  4. Data Retention: Follow organizational data policies

Security Headers

When serving embed URLs, use appropriate security headers:

<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self' https://trusted-domain.com;">
<meta http-equiv="X-Frame-Options" content="SAMEORIGIN">

Incident Response

  1. Detection: Monitor for unusual API activity
  2. Containment: Revoke compromised credentials immediately
  3. Investigation: Review logs and access patterns
  4. Recovery: Restore secure access with new credentials
  5. Lessons Learned: Update security practices

Regular Security Tasks

  • Review and rotate credentials quarterly
  • Update dependencies for security patches
  • Audit user permissions monthly
  • Review API access logs weekly
  • Test emergency procedures annually

Contact Information

For security issues:

  1. Do not create public issues for security vulnerabilities
  2. Contact repository maintainers directly
  3. Provide detailed information about the security concern
  4. Allow reasonable time for response and fix

Remember: Security is everyone's responsibility. When in doubt, choose the more secure option.

There aren’t any published security advisories