Securing SigningHub Admin API

API Rate Limiting

"RateLimiting": {
  "Enable": false,
  "HttpStatusCode": 429,
  "Response": {
    "Content": "{{ \"Message\": \"Too many requests. You have exceeded the API rate limit. Try again in a while.\" }}"
  }
}

This setting must be configured in the appsettings.json file, and it controls the overall activation of the rate-limiting feature. When enabled, all incoming requests are evaluated against configured limits and policies. Requests exceeding the thresholds will return the defined HTTP status code and message. Disabling this tag turns off rate-limit enforcement, allowing all requests to pass unrestricted.

Enable – Activates or deactivates rate limiting.
HttpStatusCode – Sets the status code returned when a request is blocked.
Response.Content – Defines the message returned to the client when rate-limited.

Global Rate Limiting Policy

"GlobalPolicy": {
  "Enable": false,
  "Type": "SLIDING_WINDOW",
  "Period": "10s",
  "Limit": 60,
  "QueueLimit": 10
}

This setting must be configured in the appsettings.json file, and it defines a sliding-window rate limit applied to all endpoints. It monitors requests across overlapping time windows to smooth spikes in traffic, ensuring stable system performance. Limits and queue size determine the number of requests that can be processed and whether excess requests are queued or rejected.

Enable – Activates or deactivates the global policy.
Type – Sliding-window rate limit algorithm.
Period – Duration of each time window.
Limit – Maximum requests allowed per window.
QueueLimit – Maximum queued requests before rejection.

IP Concurrency Policy

"IPConcurrencyPolicy": {
  "Enable": false,
  "Type": "Concurrency",
  "Limit": 10,
  "QueueLimit": 0,
  "ProcessingOrder": "OldestFirst"
}

This setting must be configured in the appsettings.json file, and it limits the number of simultaneous requests a single IP can make. It focuses on active in-flight requests rather than request rate. Excess requests above the defined limit are queued or rejected to prevent system overload.

Enable – Turns the policy on or off.
Type – Defines the policy type as concurrency-based.
Limit – Maximum simultaneous requests per IP.
QueueLimit – Maximum queued requests.
ProcessingOrder – Determines the order in which queued requests are processed.

Suppression Settings

"SuppressionSettings": {
  "Window": "00:00:30",
  "IdleTimeout": "00:00:20",
  "CountThreshold": 1000
}

This setting must be configured in the appsettings.json file, and it determines how rate-limit violation events are batched before being written to the database. Events are held in memory and flushed when the window ends, the system is idle, or the violation count exceeds the threshold. This reduces database load while ensuring accurate logging of all incidents.

Window – Duration to batch violation events before flushing.
IdleTimeout – Flushes early if no new requests are received.
CountThreshold – Flushes early if the number of violations exceeds this limit.

All rate-limit violation events generate alerts that appear in the Alerts screen in SigningHub Admin, where users can view and explore details about each alert, including suppressed counts.

Token Settings

SigningHub uses token settings to manage authentication and authorisation through issued tokens. These settings can be configured in appsettings.Production.json under the following section:

"TokenSettings": {
  "Audiences": [ {audiences} ],
  "Issuer": "{issuer}",
  "Secret": "{secret}",
  "TokenExpiryInMinutes": 60,
  "RefreshTokenValidityInDays": 25
}

The Audiences field defines the list of allowed audiences against which the token will be validated. The TokenExpiryInMinutes determines how long an access token remains valid, and the RefreshTokenValidityInDays sets the validity period for refresh tokens. If these values are not explicitly configured, SigningHub will continue to use the default values provided in the configuration.

CORS Policy

Signinghub implements CORS policies to control how the resources are accessed from external domains. By default, everything is allowed, but it can be configured in appsettings.Production.json in the following section:

"Cors": {
  "Policy": "AllowAll",
  "Headers": "*",
  "AllowedOrigins": "*"}

For "AllowedOrigins", set the value of origins, e.g. "https://example.com". The SigningHub Admin API would only be accessible from the origins mentioned in the list. If it's not present, then SigningHub will work as of today and allow all origins by default.

HTTP Strict Transport Security (HSTS)

Signinghub implements HSTS to protect from protocol downgrade attacks and cookie hijacking by ensuring that browsers only communicate with the server over HTTPS. The following configurations can be set in appsettings.Production.json accordingly, and ExcludedHosts can be set explicitly as per need:

"Hsts": {
  "Preload": "true",
  "IncludeSubDomains": "true",
  "MaxAge": "60",
  "ExcludedHosts": ""}       (Optional)

If this Optional parameter is specified, this rule applies to all of the site's sub-domains as well.

PreviousSecuring SigningHub Admin NextSecuring SigningHub Desktop Web

Last updated 1 month ago

Was this helpful?

hashtagAPI Rate Limiting

hashtagGlobal Rate Limiting Policy

hashtagIP Concurrency Policy

hashtagSuppression Settings

hashtagToken Settings

hashtagCORS Policy

hashtagHTTP Strict Transport Security (HSTS)