Dworkin framework was created with respect to existed information security design principals.


Dworkin Public API (Customer and Administrative)  in production mode can be executed to process requests only using SSL connector. To run it with HTTPS enabled connector use the following script:

and for config file:

Please refer to Play Security Configuration docs to get more information on SSL configuration.

Message digest and tokens

Dworkin Administrative API uses SHA-256 message digest verification to protect request body of each API function. Please refer to Merchant API description and Swagger examples.  Customer API requires SHA-256 message digest verification for registration and authorising API functions and then uses restricted lifetime tokes for API communication. Please refer to Customer API description and Swagger examples

Internal traffic encryption

Internal Dworkin service traffic is orchestrated by Consul and thereby depends on Consul security model and as a result can be easily encrypted using Consul built-in security mechanisms, described in Consul encryption guide.

Card tokens

Dworkin framework doesn’t store any sensitive card payment data (PAN, CVV, CVC, expiration dates, etc) and uses card tokens provided by Card Processor Systems to provide operations with cards.