Runscope Developer Guide

Security

Security is our top priority. If you think you've found a vulnerability in any Runscope service, please contact us.

How We Keep You Safe

Runscope uses best practices for Internet security. This helps ensure that your data is safe, secure, and available only to authorized users. Your data will be completely inaccessible to anyone else, unless you explicitly choose to share that data with the public.

Runscope enforces secure HTTPS for our entire website, including the public (unauthenticated) parts of the site. All communications with Runscope’s API are also protected with SSL. We also use HTTP Strict Transport Security to ensure your web browser never interacts with Runscope over insecure HTTP.

Runscope Passageway allows you to connect your local development environment to Runscope. The Passageway protocol is encrypted with SSL, and the Passageway client verifies that it is communicating with an authorized Runscope server. Because Passageway connects your local environment to the Internet, we strongly recommend you configure it to use an Authenticated Bucket (described below) and disconnect the client when you're not actively using it.

Runscope provides each user in your organization with a unique user name and password. These credentials must be entered to access your organization’s data.

How To Keep Yourself Safe

Runscope can be used to inspect traffic to APIs that communicate via plain-text HTTP or encrypted HTTPS. When you use Runscope with a plain-text HTTP API, all network traffic between your server and Runscope will be sent in plain text, as will all network traffic between Runscope and your API provider.

For this reason, we recommend that you use HTTPS whenever possible. If an API gives you the choice, you should always use HTTPS.

Runscope Buckets are writable given that you know the randomly generated bucket key; however, data can only be viewed by the bucket owner. You may optionally enable secondary authentication for a bucket. Authenticated buckets require an additional secret token to be supplied in either an HTTP header or query string parameter to write to a bucket. If you would like to enable authentication tokens for your buckets, you may do so by enabling them in the Bucket Settings page on your dashboard. Read more about Authenticated Buckets.

Contacting Runscope

If you've found a security vulnerability in a Runscope web site or service, please send an email to security@runscope.com. Your email will be reviewed promptly and we guarantee a personal response within 24 hours. We request that you not publicly disclose the issue until it has been addressed by Runscope.

If you are a Runscope customer and have further questions about your data's security, please contact help@runscope.com.

If you choose to contact Runscope security, you can encrypt with PGP or the free alternative GnuPG. Our PGP key is listed below. This key is also registered with the MIT Public Key Server. You may use this key to encrypt your communications with Runscope.

Once you've imported our key, you can verify the signature of emails we send you by running gpg --verify.

User name: Runscope Security 
Key ID: 1BD1C4B3
Key fingerprint: 6612 E367 6094 7A50 AB34  0D79 7868 9B3D 1BD1 C4B3
Expiration date: May 15, 2015

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)

mQENBFGT33kBCACn53Q+C4L5Mxe/PaTe+fp90ey5wE3bzwC4I7pJHhxkPNsApgUc
c1j9218TNH4prQrbYQ42Js5z/WyUGoXSaxBrEG1sbZGrLYRGz73ZEXd9CfdeS4Md
RPD/olIjj+Z4r4pLPSpw/6ve9NQWGMCL5GY4+Ksp23kMkxTLIZoxXp5dvAaG2S9B
dRHT++7qhnWsiK3dUMxHfZQWvZ7GgTfGyyPS2arKEYv8kdc2kKh1xqoUcINmBzg9
SrOcDQKDd4BjuMqP6u6HEaTO9NpMOD6T7orVim4y1/sabcGxSRQeLIE/i50j5Fst
/L2e6E2CH2AJpZ4JURPIKQncU1h98Xv4KMVNABEBAAG0KVJ1bnNjb3BlIFNlY3Vy
aXR5IDxzZWN1cml0eUBydW5zY29wZS5jb20+iQE9BBMBCgAnBQJRk995AhsDBQkD
wmcABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEHhomz0b0cSzUz8H/jyKEWz4
Zb2agebO/WgdeUNxdzEVdinlbtzmxFZLANLvNf/aOY9E0+zvFG+Nar/LI/iZ4ln9
b9rMdSkLHL2UShCe3aAQ2AenHmy26hvNVEGs26KlyXOBUthsWeqFGt9A92NQnYuw
PNTw+D7G+qvVF3PTV1No5qjFIsYJh8cbY/VWSsddQ4uNeHpP4WlVDmjKPoRbhsvK
4QhgqFLjWZPaLIGW11DJ58lML3O7gshE0CNwXHx/wDPrJpUkU/ALuHHh0nsxBP0I
ty1HKYl+qGqj5C5siygML5ihDTmY3gllpW+sy0HKZ7AwcbvAhkPxITXTGwwcYtC4
swtibfVKkqxVNNi5AQ0EUZPfeQEIALDnI7cGX3DSJfMwEVXiPHBHCY2AQc6GlM6n
+ZfotaxZRSt9UTyf5EH6dozFeXoeLPjh2J+dYNjrWaJkLxqBTarVx7kFnf7Sa/1+
RCQtdyp2gSKYheegKXSPP5Rbgd89JGWvrKHtEA6zKuZ2YttOUvoiqvq0QD6VZbRv
G2AKED+TDlGsMsO3MWpq5dMcAwd9r78S6k6vh33bs9HxV67xSHsblZVTAquVvxwY
vOYaG1Amnu1zO2L9p1LOmimiIgYSPMpAwjvHkJKgVnwyyixlfW7lgcgGaDMmX/KC
zDr/vLJl9i+V6YakRZIVJOZtrw6jsGiiwO23BzwF1tdqTSbEJccAEQEAAYkBJQQY
AQoADwUCUZPfeQIbDAUJA8JnAAAKCRB4aJs9G9HEs8+5B/942mhv75u14UmeCkBX
zXPQ5r6iYsoM3tCo/ukqIARnDiYwIujeaL44NT6XQ49opHVLSli7tZgtkLH37FY+
/YIKDEODjSa/uXvgFSTHyqVOTnxmY+8T5UZEM4/g9QtjX0curcHSoQR6NwRSJfSs
rpE81AcTW9J/YOHVBy8quNErCk8EaTKKRKVlj70TsHdYLBYDA9NvEr+7oODn49I4
T+MZwz+G/MdMnMm3caSrWRnCHczQVO0BsAFv/5aVtwxkJ+T2AT0w5ZvZEIrEVnCu
vjxclOjA/fcXZ2W7955SHpkt46K5Aqr+UDQsV4SqnPDXRZ8BL1+Z/vR225kwSaKo
j2QW
=VXkj
-----END PGP PUBLIC KEY BLOCK-----

Everything is going to be 200 OK

Sign Up — Free