Changelog
Start typing to search…
Back to All
Added

Widget Integration: Signed URLs for Sensitive Information

11 days ago by Vaishnavi

To strengthen security and prevent unauthorized access, we have introduced mandatory URL signing for widget integrations that include sensitive parameters such as walletAddress or walletAddresses. What's changed:

Passing the signature parameter is now mandatory when using walletAddress or walletAddresses in the widget URL. The widget will fail to load if the signature is missing or invalid. Signatures must be generated server-side using HMAC-SHA-256, with your secret API key as the HMAC key and the original query string as the message. The signature must be appended at the end of the URL and its value must be URL-encoded. In addition to signed URLs, authenticated user session verification is now enforced on the endpoint that generates signatures (e.g., a valid session cookie or bearer token), preventing unauthorized signature generation.

Recommendations:

Ensure all query parameter values are URL-encoded before generating the signature. Consider implementing Invisible CAPTCHA on endpoints responsible for generating signed URLs, to guard against automated abuse.

 https://sandbox-buy.transfi.com/?apiKey={{YOUR_STAGING_API_KEY}}&walletAddress={{walletAddress}}&signature={{signature}}
import crypto from 'crypto';

const originalUrl = 'https://sandbox-buy.transfi.com/?apiKey={{YOUR_STAGING_API_KEY}}&cryptoTicker=BTC&fiatTicker=AED&walletAddress=bc1q98pd9dsaq8zp9xfw46h3d9c0jejl6z5409aghw&cryptoAmount=0.001&country=AE&cryptoNetwork=Bitcoin&paymentCode=AE_BANK_TRANSFER&partnerContext=01KJ97J1HE8HZVM7MRMD1DF8RW&view=sell';

const signature = crypto  
.createHmac('sha256', 'sk_test_key')  
.update(new URL(originalUrl).search)  
.digest('base64');

const urlWithSignature = `${originalUrl}&signature=${encodeURIComponent(signature)}`;

For full details and code examples, refer to the documentation: Widget Integration — Signed URLs

If you have any questions about this change or need assistance with your integration, please do not hesitate to contact our technical support team via the usual channels.