Getting Started with Open Banking Nigeria future forward APIs.

Security Profiles

Security has been designed into the system from
grounds up. There is a strong consideration to use FAPI.

Should be secure, simple, and adaptable.

Privacy is sacrosanct.

Operational Guidelines

Banks to determine who should connect.

Banks would determine what they would charge.

Stakeholders are required to implement metrics that can be interrogated.

Customer Experience

Should be easy for customers to understand.

Customers would know exactly what each access to their accounts or information can do.

Seamless enough to be invisible to end-users.

API Specifications

  • Implement oAuth2 with a combination of other 2FA variants
  • Logging of digital footprint of customers / applications

Encryption and other Security Measures

  • API connections and data in transit should be encrypted using TLS 1.2 at the minimum
  • Use Cipher Suites w/ Perfect Forward Secrecy! e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256
  • Use Extended Validation (EV) Certificates

Encryption and other Security Measures

  • Use HMAC signature-based authentication model for API key exchange
  • Use RESTful APIs instead of SOAP APIs
  • Use of JSON Web Tokens (JWT) as the format for security tokens
  • Whitelist and allow only valid entities
  • Use Security headers
  • Avoid Sensitive information in HTTP requests

General Secure Development Principles

  • Develop using secure coding principles

Parameter Validation

  • Validate content types
  • Validate lengths, structures and schemas
  • Perform input validation to sanitize all inputs

Threat Detection

  • Apply threat detection using WAF
Close Bitnami banner