Best Security Practices

Introduction

Security is key to us. We follow very closely the works of the security research community, and implement every best practice that can improve the overall security of our applications. We actively work on preventing the crawling of your data, hacking of your account, human mistakes, access to your confidential data… Everything that could potentially happen.

While a lot of the security work is done on our side on the background, there are some best practices that you should follow when using Algolia. In this guide, we want to share the features and best practices you must follow to ensure your account and data are completely secure.

General Best practices

Two-factor Authentication (2FA)

The first step is to ensure that access to your dashboard is secure as it contains access to all of your API keys and data.

We recommend enabling the two-factor authentication (2-FA) for any user that has access to your dashboard. Just go to the My account menu, enable Two-factor authentication and save. You can use the Google Authenticator app (available on iOS and Android) to scan the generated QR code and confirm your 2-FA access.

NOTE: Every member of your team needs to activate 2-FA to secure your account.

Secure your Admin API Key

The ADMIN API key of your account should never be shared with anyone and must remain confidential. It provides full control over your account and all of your indices.

Should you have any reason to believe it has been compromised, you can quickly renew your ADMIN API key in the API Keys section of the dashboard. This renewal will immediately revoke the old key.

This API key should almost exclusively be used to generate other - more limited - API Keys that will be used to search and perform indexing operations.

ACL for your members

When you invite a member of your team to an Algolia application, you can select the parts of the application they have access to (ACL). Make sure that each member only has access to the right set of features. You can also limit the set of indices someones has access to.

For now, the only person that can add/remove people from the team is the account owner. You cannot change the account owner on your side, but you can contact us if necessary.

HTTPS

Our API requires HTTPS for all index-related operations, and authorizes both HTTP and HTTPS for search operations.

We recommend using HTTPS API calls for the search operations performed on your web or mobile application (it will automatically be the case if your application is using HTTPS and you’re using one of our API clients).

Separating your multiple environments

To avoid mistakes, we recommend separating your different development environments, and using a different API key for each environment. We’ve written a guide dedicated to explaining how to setup multiple environments.

Unretrievable Attributes

You may want to index some information on Algolia that you don’t want to be accessible to your users. That can for example be the case for the information contained in the attributes used in your Custom Ranking.

Let’s take the example of an e-commerce site. You may want to use the number of sales of your products as a ranking strategy: customRanking=['number_of_sales']. To do that, you would need to index on Algolia the number of sales for each product of your catalogue. Someone could then use your search API Key to retrieve this confidential information.

To prevent this you can set a list of unretrievableAttributes, that cannot be retrieved using your search API Key.

index.set_settings "unretrievableAttributes" => ['number_of_sales', 'products_by_price_desc']
class products < ActiveRecord::Base
  attr_protected
  include AlgoliaSearch
  algoliasearch per_environment: true do
    unretrievableAttributes [:number_of_sales]
    # ...
  end
end
index.set_settings({"unretrievableAttributes": ["number_of_sales"]})
<?php
$index->setSettings(array(
  "unretrievableAttributes" => array("number_of_sales")
));
<?php
/**
 *
 * @ORMEntity
 *
 * @AlgoliaIndex(
 *     unretrievableAttributes = {"number_of_sales"}
 * )
 *
 */
class products
{
}
index.setSettings({
  unretrievableAttributes: ["number_of_sales"]
})
index.setSettings(new JSONObject().append("unretrievableAttributes", "number_of_sales"));
settings := algoliasearch.Map{
    "unretrievableAttributes": []string{"number_of_sales"},
}
index.SetSettings(settings)
index.SetSettings(JObject.Parse(@"{""unretrievableAttributes"":[""number_of_sales""]}"));

unretrievableAttributes can still be retrieved by using the ADMIN API Key, to help in some debugging situations.

API Key security

In addition to the general best practices, you should secure your API Keys. There are a lot of limitations you can set on your API Keys, to ensure that your users can only access what they are supposed to and prevent the crawling of your data using the API-Keys. We wrote a specific guide on API Keys and Secured API Keys.