# VSF API Best Practices
Vue Storefront API and its successor the Storefront API are a data layers designed to limit the contact of your Magento instance (and any other data sources) with outside world. All the API requests Vue Storefront is making in order to get necessary data are proxied by these layers. Please use them wisely to secure your application.
# Always check the data ownership
If you need additional data operations as
vue-storefront-api extensions or
storefront-api modules. Please be aware of checking the customer's tokens each time you're returning any data related or including personal information.
For example you might want to support the Product Alerts feature in your VSF site. The feature isn't included out of the box. So naturally, you could add a endpoint to fetch the product alerts (checking if user already subscribed to it):
If you use the
magento2-rest-client to simply proxy this request to Magento2 API then you'll get the response:
By this - innocent as it might look at first glance - feature you're just exposing all the e-mail used for product alerts to anyone who'll just experiment with different
customerId parameter values.
The right way to handle such requests would be to always pas the
token parameter along and verify the ownership of the data. Here's an example how
order-history endpoint verifies the ownership of the data
# Set only the minimal required permissions
The Magento2 API credentials (oauth2 tokens) are required for Vue Storefront to work. However in the Magento2 Admin Panel you can set whole range of the permissions. Please make sure you enable the only the minimal set of features to be accessed via these oauth2 keys which are:
Catalog Sales My Account Carts Stores > Settings > Configuration > Inventory Section Stores > Taxes Stores > Attributes > Product
Please read more about the VSF Data imports in the "Data Imports Cookbook"
# Make sure ElasticSearch and Redis are secured
The services shouldn't be accessible from over the Internet. The network traffic should be limited via system firewall to the access just from the
# Limit the ElasticSearch indexes accessible via API
vue-storefront-api config files you can limit the access to only the Elastic indexes that are used for VSF product catalog. Please make sure the
elasticsearch.indices property is set properly.
# Limit the scope of the ElasticSearch data
By default, the whole ElasticSearch index used by Vue Storefront is publicly available and can by queried by the user anyway they want using the ElasticSearch DSL or
storefront-query-builder queries. You shouldn't index more attributes or more data than it's allowed for the users to fetch. However there are some situations like having individual prices embedded into ElasticSearch in which you must make sure these fields are accessible only to the users that have the privileges to see them.
In that case you can use the
excludeFields filters server side. This is a new feature (till now these field filters were driven by Vue Storefront frontend app). Please make sure you're using it by checking the
Another way of limiting the scope of the data accessible via Vue Storefront API or adding custom business logic for filtering this data out - for example dynamically, based on the
GET parameters (like user token) is to create a custom
ResultProcessor. Heres' a tutorial on how to create one. Here's an example how the default
Product processor is filtering/compacting out some fields from the Elastic feed.