Runscope Developer Guide
Security is our top priority. If you think you've found a vulnerability in any Runscope service, please contact us.
Runscope uses best practices for Internet security. This helps ensure that your data is safe, secure, and available only to authorized users. Your data will be completely inaccessible to anyone else, unless you explicitly choose to share that data with the public.
Runscope enforces secure HTTPS for our entire website, including the public (unauthenticated) parts of the site. All communications with Runscope’s API are also protected with SSL. We also use HTTP Strict Transport Security to ensure your web browser never interacts with Runscope over insecure HTTP.
Runscope Passageway allows you to connect your local development environment to Runscope. The Passageway protocol is encrypted with SSL, and the Passageway client verifies that it is communicating with an authorized Runscope server. Because Passageway connects your local environment to the Internet, we strongly recommend you configure it to use an Authenticated Bucket (described below) and disconnect the client when you're not actively using it.
Runscope provides each user in your organization with a unique user name and password. These credentials must be entered to access your organization’s data.
Runscope can be used to inspect traffic to APIs that communicate via plain-text HTTP or encrypted HTTPS. When you use Runscope with a plain-text HTTP API, all network traffic between your server and Runscope will be sent in plain text, as will all network traffic between Runscope and your API provider.
For this reason, we recommend that you use HTTPS whenever possible. If an API gives you the choice, you should always use HTTPS.
Runscope Buckets are writable given that you know the randomly generated bucket key; however, data can only be viewed by the bucket owner. You may optionally enable secondary authentication for a bucket. Authenticated buckets require an additional secret token to be supplied in either an HTTP header or query string parameter to write to a bucket. If you would like to enable authentication tokens for your buckets, you may do so by enabling them in the Bucket Settings page on your dashboard. Read more about Authenticated Buckets.
If you've found a security vulnerability in a Runscope web site or service, please send an email to firstname.lastname@example.org. Your email will be reviewed promptly and we guarantee a personal response within 24 hours. We request that you not publicly disclose the issue until it has been addressed by Runscope.
If you are a Runscope customer and have further questions about your data's security, please contact email@example.com.
If you choose to contact Runscope security, you can encrypt with PGP or the free alternative GnuPG. Our PGP key is listed below. This key is also registered with the MIT Public Key Server. You may use this key to encrypt your communications with Runscope.
Once you've imported our key, you can verify the signature of emails we send you by running
User name: Runscope Security
Key ID: 1BD1C4B3 Key fingerprint: 6612 E367 6094 7A50 AB34 0D79 7868 9B3D 1BD1 C4B3 Expiration date: May 15, 2015 -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) mQENBFGT33kBCACn53Q+C4L5Mxe/PaTe+fp90ey5wE3bzwC4I7pJHhxkPNsApgUc c1j9218TNH4prQrbYQ42Js5z/WyUGoXSaxBrEG1sbZGrLYRGz73ZEXd9CfdeS4Md RPD/olIjj+Z4r4pLPSpw/6ve9NQWGMCL5GY4+Ksp23kMkxTLIZoxXp5dvAaG2S9B dRHT++7qhnWsiK3dUMxHfZQWvZ7GgTfGyyPS2arKEYv8kdc2kKh1xqoUcINmBzg9 SrOcDQKDd4BjuMqP6u6HEaTO9NpMOD6T7orVim4y1/sabcGxSRQeLIE/i50j5Fst /L2e6E2CH2AJpZ4JURPIKQncU1h98Xv4KMVNABEBAAG0KVJ1bnNjb3BlIFNlY3Vy aXR5IDxzZWN1cml0eUBydW5zY29wZS5jb20+iQE9BBMBCgAnBQJRk995AhsDBQkD wmcABQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEHhomz0b0cSzUz8H/jyKEWz4 Zb2agebO/WgdeUNxdzEVdinlbtzmxFZLANLvNf/aOY9E0+zvFG+Nar/LI/iZ4ln9 b9rMdSkLHL2UShCe3aAQ2AenHmy26hvNVEGs26KlyXOBUthsWeqFGt9A92NQnYuw PNTw+D7G+qvVF3PTV1No5qjFIsYJh8cbY/VWSsddQ4uNeHpP4WlVDmjKPoRbhsvK 4QhgqFLjWZPaLIGW11DJ58lML3O7gshE0CNwXHx/wDPrJpUkU/ALuHHh0nsxBP0I ty1HKYl+qGqj5C5siygML5ihDTmY3gllpW+sy0HKZ7AwcbvAhkPxITXTGwwcYtC4 swtibfVKkqxVNNi5AQ0EUZPfeQEIALDnI7cGX3DSJfMwEVXiPHBHCY2AQc6GlM6n +ZfotaxZRSt9UTyf5EH6dozFeXoeLPjh2J+dYNjrWaJkLxqBTarVx7kFnf7Sa/1+ RCQtdyp2gSKYheegKXSPP5Rbgd89JGWvrKHtEA6zKuZ2YttOUvoiqvq0QD6VZbRv G2AKED+TDlGsMsO3MWpq5dMcAwd9r78S6k6vh33bs9HxV67xSHsblZVTAquVvxwY vOYaG1Amnu1zO2L9p1LOmimiIgYSPMpAwjvHkJKgVnwyyixlfW7lgcgGaDMmX/KC zDr/vLJl9i+V6YakRZIVJOZtrw6jsGiiwO23BzwF1tdqTSbEJccAEQEAAYkBJQQY AQoADwUCUZPfeQIbDAUJA8JnAAAKCRB4aJs9G9HEs8+5B/942mhv75u14UmeCkBX zXPQ5r6iYsoM3tCo/ukqIARnDiYwIujeaL44NT6XQ49opHVLSli7tZgtkLH37FY+ /YIKDEODjSa/uXvgFSTHyqVOTnxmY+8T5UZEM4/g9QtjX0curcHSoQR6NwRSJfSs rpE81AcTW9J/YOHVBy8quNErCk8EaTKKRKVlj70TsHdYLBYDA9NvEr+7oODn49I4 T+MZwz+G/MdMnMm3caSrWRnCHczQVO0BsAFv/5aVtwxkJ+T2AT0w5ZvZEIrEVnCu vjxclOjA/fcXZ2W7955SHpkt46K5Aqr+UDQsV4SqnPDXRZ8BL1+Z/vR225kwSaKo j2QW =VXkj -----END PGP PUBLIC KEY BLOCK-----