Dworkin framework was created with respect to existed information security design principals.
and for config file:
Please refer to Play Security Configuration docs to get more information on SSL configuration.
Message digest and tokens
Dworkin Administrative API uses SHA-256 message digest verification to protect request body of each API function. Please refer to Merchant API description and Swagger examples. Customer API requires SHA-256 message digest verification for registration and authorising API functions and then uses restricted lifetime tokes for API communication. Please refer to Customer API description and Swagger examples
Internal traffic encryption
Internal Dworkin service traffic is orchestrated by Consul and thereby depends on Consul security model and as a result can be easily encrypted using Consul built-in security mechanisms, described in Consul encryption guide.
Dworkin framework doesn’t store any sensitive card payment data (PAN, CVV, CVC, expiration dates, etc) and uses card tokens provided by Card Processor Systems to provide operations with cards.