Security

The nXus API is built on a foundation of enterprise-grade security, ensuring your financial data is protected at every layer. As a passthrough API for QuickBooks Desktop, our architecture is uniquely designed to minimize risk and maximize data privacy.

Core Architecture

True Zero-Storage (In-Memory Broker)

Our biggest architectural advantage is our in-memory passthrough broker. Your data flows securely through our system and is never written to disk or a database.

• There is no client financial data at rest to encrypt, because it never exists at rest.
• No third-party subprocessor has access to your live QuickBooks data.
• A breach of our caching layers or databases would reveal zero client financial data.

Security Features

Authentication & API Keys

• API Key Entropy: Keys are generated using a 288-bit cryptographically secure pseudorandom number generator (CSPRNG), are strongly hashed, and the plaintext is never stored.
• Key Rotation: Zero-downtime rotation with configurable grace periods and proactive warning headers (X-Api-Key-Rotation-Warning).
• Key Mode Isolation: Strict enforcement of test (sk_test_) and live (sk_live_) keys prevents accidental production access.
• Webhook Security: Webhook payloads are secured using HMAC-SHA256 signatures, validated with constant-time comparison to prevent timing attacks.

Access Control & Isolation

• Tenant Isolation: Robust global query filters and strict data namespacing enforce hard boundaries between tenants. Any request lacking proper context immediately fails.
• Infrastructure: We keep subprocessor exposure to an absolute minimum by leveraging self-hosted, secure infrastructure, ensuring you maintain complete control over your data exposure.

Network & Infrastructure Protection

• Rate Limiting: Comprehensive multi-tier rate limiting (API, Auth, Login, Support) plus per-connection daily quotas to ensure high availability.
• IP Defense: Real-time, database-backed IP blacklisting with CIDR support and automated obfuscation against malicious probing.
• DoS Protection: Enforced strict limits on payload sizes, concurrent connections, and header timeouts to protect against denial-of-service attacks.

Application Security

• Input Validation: Strict validation runs on every request, with required formats and rules auto-published to our OpenAPI schema.
• Error Handling: Global exception handling ensures sensitive system information or stack traces are never leaked, always returning safe, standardized RFC 7807 problem details.
• CORS: Strict policies are enforced; wildcard requests are rejected outright to prevent cross-origin risks.
• HSTS: Enforced with a 365-day max-age, preload, and includeSubDomains directives.

Account Security

• Account Lockout: Multiple failed authentication attempts automatically trigger temporary account lockouts to prevent brute-force attacks.
• Password Policy: Industry-standard strong hashing algorithms are used to protect all user credentials, alongside strict password complexity requirements.
• Cookie Security: All session cookies are strictly configured with HttpOnly, SameSite=Strict, and Secure flags.

Auditing

• Audit Trail: Comprehensive audit logging system with tiered retention. Critical security events are retained indefinitely for compliance and forensic analysis.