Crypto Casino
Torrent Gear
How the casino monitors the security of API requests
Why API security is critical in iGaming
API - casino nervous system: bets, wallet, cash desk, game providers, KYC/KYT, telemetry. Any hole = money, PII, license, reputation. Unlike regular e-commerce, casinos have features: real-time money, regulation, high motivation of attackers and a complex integration matrix.
Architectural principles (protection skeleton)
1. Zero-Trust & Least Privilege. We do not trust the network or customers. Each call is checked, accesses are the minimum required (RBAC/ABAC).
2. Domain separation. Money/PII/cash/game gateways - different perimeters and networks, different keys and policies.
3. Single API gateway. Point: mTLS, WAF/bot management, OAuth2/JWT, rate limits, threat-feeds, logging.
4. Default observability. Tracing, correlation'traceId', alerts on anomalies (SLO/SIEM).
5. Safe defaults. Short TTL tokens, banning "wide" CORS, deny-by-default in NetworkPolicy.
Authentication and authorization
Inter-service calls: mTLS + short-lived JWT (5-10 min) with'aud/iss/kid 'and key rotation; optional HMAC body signature.
Call Integrity - Signatures, Time, Idempotence
HMAC signature of canonized submission request: parameter sorting, stable JSON serialization (without unnecessary spaces, the same key order), headers:
X-Request-Timestamp: 2025-10-17T14:22:05Z
X-Request-Nonce: 8c1c...fa
X-Request-Signature: v1=HMAC-SHA256:base64(…)
X-Idempotency-Key: c0a4-77f…Replay protection: valid time window (± 300 seconds), checking'nonce 'in cache.
Idempotency-Key for money/webhooks: repeating the request does not create a second debit/credit.
mTLS to wallet/cash desk/providers: transport encryption + mutual verification of the parties.
Example of secure POST:
POST /wallet/debit
Content-Type: application/json
X-Request-Timestamp: 2025-10-17T14:22:05Z
X-Request-Nonce: 8c1c0cfa
X-Idempotency-Key: 9a7f-2b1c
X-Request-Signature: v1=HMAC-SHA256:Z2V…==
{
"playerId":"p_123", "amount":"10. 00", "currency":"EUR", "reason":"bet. place", "roundId":"R-2025-10-17-PRAGM-12"
}Input validation: schematics and canonicalization
JSON Schema/OpenAPI as contract. Any string - through validation of types, ranges and whitelists (ISO codes of currencies/countries, enum statuses).
Size limits: limit the size of the body and arrays, prohibit "deep" nesting.
Canonicalization of JSON before signature/logs, screening of special characters, strict 'Content-Type'.
Mass assignment lock-Explicit allow-lists of fields.
Surface protection: WAF, bots, speed
WAF/bot management: signatures and behavioral detection (rate, geo, device-fingerprint).
Rate limits/quotas: by IP/token/client/method; separate limits on money and non-money.
DoS/abuse-control: circuit-breakers, timeouts, backpressure, "gray lists."
CORS: point 'Access-Control-Allow-Origin', wildcard ban and 'Authorization' in browser cross-origins needlessly.
OWASP API Top-10 → specific measures
BOLA/BFLA (Broken Object/Function Level Auth): ABAC by resource owner, filters by 'playerId', prohibition of "foreign" identifiers.
Injection/SSRF: parameterized requests, prohibition of external URLs in server calls, host allowlist.
Excessive Data Exposure: shaping of responses (fields mask), pagination, error normalization without part leakage.
Security Misconfiguration: TLS/cipher version unity, CSP/Permissions-Policy/Referrer-Policy headers.
Unsafe Consumption of APIs: wrappers over provider APIs with timeouts, retrays, deduplication.
PII and privacy
PII tokenization and encryption (player attributes, KYC documents): KMS/HSM, fields - AES-GCM.
Data minimization: in events/logs - only aliases ('playerId'), never - document/card numbers.
Retention: TTL is different for domains (wallet/games/cash register) according to the requirements of jurisdictions.
Role access: differentiation of PII reading at the database and services level (row-level security/policy).
Safe webhooks and box office
Two-factor verification: mTLS to webhook + HMAC signature of the provider.
Anti-replay: 'X-Idempotency-Key', 'X-Timestamp', time window.
Allowlist IP/ASN provider, static egress-IP with us.
"Poisonous" payloads: size limits, ignoring unused fields, strict scheme.
Audit and test endpoint: provider sandbox + contract tests.
Secrets and keys
Storage: KMS/HSM/Secrets-manager, never in git/environment variables without encryption.
Rotation: automatic, 'kid' in headers/metadata, revoking compromised keys.
Access: break-glass procedures, logging all access to secrets.
Logs, trails, alerts
Correlation: 'traceId/requestId/playerId/roundId' in each layer (ingress → API → wallet → provider → webhook).
Anomalies: surge '401/403/429', growth 'VOID', jumps' bet. reject 'by region, HMAC/mTLS failures.
Attack signals: many'nonce 'replays, old' timestamp'attempts, long bodies, unknown' kid '.
Log storage: immutable (WORM), separate access zone, PII masking.
Test plan and quality control
Static/Dynamic AppSec: SAST/DAST on each CI, secret signatures, dependencies - SCA.
Pentests and ed-tim: replay scripts, signature on the wrong channel, rate-limits bypass, BOLA, SSRF.
Contract tests: for OpenAPI/JSON-Schema, "negative cases."
Chaos/latency drills: behavior at timeouts of providers/cash desks, correctness of idempotency.
Bug-bounty: a program with a separate perimeter and reporting rules.
Useful titles and settings
`Strict-Transport-Security: max-age=63072000; includeSubDomains; preload`
`Content-Security-Policy: default-src 'none'; frame-ancestors'none "(for API domains)
`Referrer-Policy: no-referrer`
`Permissions-Policy: geolocation=(), microphone=(), camera=()`
`X-Content-Type-Options: nosniff`
'Cache-Control: no-store'on private endpoints
Error Responses - Single Format
json
{ "error":"INVALID_SIGNATURE", "code":"SEC_401", "traceId":"tr_5f1", "ts":"2025-10-17T14:22:06Z" }Anti-patterns (which breaks security)
Long-lived JWT/refresh tokens without rotation and binding to the device.
The signature "as is" without canonicalization of JSON → the passage of checks.
Lack of 'Idempotency-Key' on money/webhooks → double write-offs.
Wildcard-CORS and "in 'Access-Control-Allow-Origin' for endpoints with 'Authorization'.
Logs with PII/secrets, shared access to logs "for everyone."
A single HMAC shared key for all integrations.
No JSON size/depth limits, no timeouts and circuit-breakers.
Errors that reveal internal parts (stack traces, SQL, library versions).
Casino API Security Checklist
Perimeter and transport
- mTLS on inter-service and provider channels; TLS 1. 3 everywhere.
- API gateway with WAF/bot management, rate limiting, threat-feeds.
- CORS - addressable only, no wildcard.
Authentication/Authorization
- OAuth2/OpenID for clients, JWT with TTL ≤ 10 min, key rotation ('kid').
- RBAC/ABAC by domain; admin - SSO + MFA + IP-allowlist.
Integrity and re-requests
- HMAC signature, 'X-Request-Timestamp', 'X-Request-Nonce' and time window.
- 'X-Idempotency-Key' on money, webhooks, checkout; storing keys in the cache.
Validation
- OpenAPI/JSON-Schema, JSON canonicalization, size/depth limits.
- Masking and whitelists for fields; prohibition of mass assignment.
PII and data
- PII tokenization/encryption (KMS/HSM), minimization, separate retention policies.
- Split storage for PII/telemetry/money.
Integration
- Webhooks: mTLS + HMAC, allowlist IP, anti-replay, contract tests.
- Cash/crypto: two providers and different keys/networks, idempotency for input/output.
Observability
- Tracing with 'traceId/playerId/roundId', alert to attack signals.
- Logs immutable (WORM), no PII/secrets.
Processes
- SAST/DAST/SCA in CI, pentests/ed-tim regularly, bug-bounty.
- Runbooks incidents: revoke keys, rollback, communications.
API security in iGaming is not "put WAF." These are the system: mTLS + signatures + idempotency, strict validation and canonicalization, perimeter and speed protection, PII isolation, secure cash register webhooks, observability and regular checks. By making this part of the engineering culture, you protect money, players and the license while maintaining product speed and release stability.