Secure Vault for Customer Personal Records in Under 10 Minutes
Databunker is an open-source vault for secure storage of PII, PHI, KYC, and PCI records. Protect user records from SQL and GraphQL injections with a simple API. Streamline GDPR, HIPAA, ISO 27001, and SOC2 compliance.
docker run -p 3000:3000 -d securitybunker/databunker demo
# save user records
curl -s http://localhost:3000/v1/user -X POST -H "X-Bunker-Token: DEMO" -H "Content-Type: application/json" \
-d '{"first":"John","last":"Doe","login":"john","email":"user@gmail.com"}'
# user lookup by login, email, phone, or token
curl -s -H "X-Bunker-Token: DEMO" -X GET http://localhost:3000/v1/user/login/john
Implement Secure Session Storage for Web Apps to Outsmart Attackers
As web developers, ensuring the security of data in session storage is crucial. A session object contains critical information, such as user email addresses, permissions, and error messages. Protecting this data is especially crucial when dealing with personal information like Personal Identifiable Information (PII) / Personal Health Information (PHI).
In today’s digital landscape, the European Union’s emphasis on online privacy and data protection through the General Data Protection Regulation (GDPR) affects businesses worldwide. If your company serves European customers, GDPR compliance is non-negotiable, irrespective of your location.
This article delves deep into the world of GDPR and its implications for the storage of user-session information. We’ll explore the key considerations that developers must bear in mind to ensure secure session storage while meeting GDPR requirements.
To achieve this goal, we introduce Databunker—an open-source Swiss army knife tool designed to securely store personal records, PII, and PHI. We will explore how Databunker can seamlessly align with GDPR guidelines, ensuring your web application’s session storage remains both efficient and compliant.
What is a session?
A session can be defined as a server-side storage of information that is desired to persist throughout the user’s interaction with the web site or web application.
GDPR principle of Integrity and confidentiality.
GDPR stands on a number of principles. Integrity and confidentiality are some of them. These principles tell that appropriate security measures should be in place to protect the personal data.
So, do we need to encrypt personal data?
Although there are no explicit GDPR encryption requirements, the regulation does require you to enforce security measures and safeguards. The GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of personal data security.
The GDPR requires companies to put in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard individual rights. This is “data protection by design and by default”.
In this article I will cover smarter methods to make your session code to be privacy-compliant.
Introduction to Databunker
But first, let me give you a bit more information about what Databunker is and how it works since we’ll be discussing it in some of these methods below.
Databunker is a GDPR compliant user store service for Web and mobile apps. It is a special application server. This product is a combination of several software concepts merged together. It provides secure PII storage and privacy by design out of the box:
- A Personal Identifiable Information (PII) storage and vault
- Secure session storage for web applications
- Privacy portal for customers
- Application backend server
- DPO management tool
- Tokenization service
- Secret sauce
Project website: https://databunker.org/
Databunker API
Databunker provides an easy to use API for secure session storage. In the backend Databunker encrypts session data and stores it in the regular SQL database (SQLite, MySQL, PostgreSQL). Follow Databunker API for additional information:
https://documenter.getpostman.com/view/11310294/Szmcbz32
Databunker support for Node.js
Databunker comes with excellent Node.js support. You basically add few dependencies to your project and you are set. Our library does all the magic.
You can use @databunker/session-store module to automatically use secure storage provided by Databunker.
Here is a working example:
const { v4: uuidv4 } = require('uuid');
const app = require('express')();
const session = require('express-session');
const DataBunkerSessionStore = require('@databunker/session-store')(session);
const DataBunkerConf = {
url: 'http://localhost:3000/',
token: 'DEMO'
};
const s = session({
genid: function(req) {
return uuidv4();
},
secret: 'JustASecret',
resave: false,
saveUninitialized: true,
store: new DataBunkerSessionStore(DataBunkerConf)
});
app.use(s);
const port = 3200
const host = '0.0.0.0'
app.get('/', (req, res) => {
sess=req.session;
if (!sess.count) {
sess.count = 1;
} else {
sess.count ++;
}
res.send('Counter: '+sess.count.toString());
res.end();
})
app.listen(port, host, () => {
console.log(`Example app listening at http://${host}:${port}`)
})
Additional examples
-
Node.js example implementing passwordless login using Databunker: https://github.com/securitybunker/databunker-nodejs-passwordless-login
-
Node.js example with Passport.js, Magic.Link and Databunker: https://github.com/securitybunker/databunker-nodejs-example
Summary
With a few lines of code, you can make your session code to be privacy and security by design compliant. It is not complicated.
Introducing a Free Takeaway 🚀
Databunker is a free, open-source project available under the commercially friendly MIT license.
- Check out the getting started guide
- Review the installation guide
- View the source code