Advanced Security Features

Available in:

Post Affiliate Pro , Post Affiliate Pro Ultimate , Post Affiliate Network

Post Affiliate Pro provides enterprise-grade security features designed to protect your affiliate program from unauthorized access, abuse, and fraud. This guide covers the advanced security mechanisms built into the platform.

API Authentication Methods

Post Affiliate Pro’s API v3 uses modern authentication standards to ensure secure access to your affiliate program data and operations.

API Key Authentication

API keys provide a secure method for server-to-server communication. Each API key in Post Affiliate Pro includes:

• Token ID and Hash: API keys use a secure token format with a unique identifier and cryptographically hashed secret. The plain-text token is never stored in the database.
• Expiration Date: You can set an expiration date for API keys to ensure regular rotation.
• Role-Based Access: Each key inherits permissions from the associated user role.
• Scope Restrictions: Define specific scopes to limit what operations the API key can perform.
• IP Whitelisting: Restrict API key usage to specific IP addresses or CIDR ranges.
• Usage Tracking: The system tracks when each key was last used and how many times it has been accessed.

To authenticate with an API key, include it as a Bearer token in the Authorization header:

Authorization: Bearer pap_XXXXXXXXXX_YYYYYYYYYYYYYYYYYYYYYYYYYYYY

OAuth 2.0 Authentication

For third-party integrations and temporary access, Post Affiliate Pro supports OAuth 2.0 bearer tokens with scope validation. The OAuth authenticator:

• Validates bearer tokens against the API key database
• Verifies that the token has all required scopes for the requested operation
• Returns clear error messages for insufficient permissions (HTTP 403)
• Integrates seamlessly with the rate limiting system

Scope-based permissions allow fine-grained control over what each token can access, ensuring third-party integrations only have access to the data they need.

Rate Limiting

Post Affiliate Pro implements intelligent rate limiting to protect your affiliate program from abuse, denial-of-service attempts, and runaway automation scripts.

Global API Rate Limits

The API v3 enforces the following rate limits:

• 100 requests per minute for all API endpoints
• 10 failed authentication attempts per minute per IP address for bearer token authentication

When you exceed the rate limit, the API returns:

• HTTP 429 (Too Many Requests) status code
• Retry-After header indicating when you can retry
• X-RateLimit-Limit header showing the maximum allowed requests
• X-RateLimit-Remaining header showing remaining requests in the current window
• X-RateLimit-Reset header showing when the rate limit resets

Token Bucket Algorithm

Rate limiting uses a token bucket algorithm that provides:

• Configurable time windows (second, minute, hour, day, week, month)
• Gradual refill of available requests over time
• Protection against both sustained abuse and burst attacks
• Separate buckets for different types of operations (authentication, password reset, signups, etc.)

Authentication Rate Limiting

Failed authentication attempts are tracked separately to prevent brute-force attacks:

• Failed bearer token authentications consume tokens from an IP-specific bucket
• After 10 failed attempts within a minute, further authentication attempts are blocked
• Successful authentication resets the failure counter for that IP
• Rate limit status is logged for security monitoring

Session Security

Post Affiliate Pro implements robust session management to protect user accounts.

Session Management Features

• Secure Session IDs: Sessions use 32-character cryptographically secure identifiers
• Session Validation: Each request validates the session state and associated module
• Session Expiration: Expired sessions are automatically detected and handled
• Session Storage: Sessions can be stored in database or Redis for high-performance environments
• Multi-Session Control: Users can have their other sessions terminated when security-sensitive changes occur

Session Termination on Security Events

When critical security events occur, Post Affiliate Pro automatically terminates related sessions:

• Enabling two-factor authentication invalidates all other active sessions
• Password changes can trigger session invalidation
• API key deletion terminates associated sessions
• Account status changes trigger session cleanup

Login Protection

Post Affiliate Pro provides comprehensive login protection with configurable settings for both merchant and affiliate panels.

IP-Based Restrictions

Banned IP Addresses: Block login attempts from specific IP addresses or ranges. The system:

• Validates IP addresses against the banned list before processing login
• Prevents you from accidentally banning your own current IP address
• Supports separate banned lists for merchant and affiliate panels

Allowed IP Addresses: Restrict login access to a whitelist of approved IP addresses:

• Only users connecting from whitelisted IPs can log in
• Supports both individual IP addresses and IP ranges
• Protects you from locking yourself out by validating your current IP is on the list before saving

Rate Limiting for Logins

Login attempts are rate-limited to prevent brute-force attacks:

• Per-IP Rate Limiting: Limits the number of login attempts from a single IP address per hour
• Per-Username Rate Limiting: Limits attempts against a specific username to prevent targeted attacks
• Configurable limits for both merchant and affiliate panels
• Failed attempts are tracked using the token bucket system

Login Key Service

For secure single sign-on and “Login As” functionality, Post Affiliate Pro uses temporary login keys:

• Login keys are valid for only 30 seconds
• Each key can only be used once (consumed on use)
• Keys are cryptographically generated using secure random functions
• Permission checks ensure only authorized users can generate login keys for other accounts

Sale Fraud Protection

Post Affiliate Pro includes a dedicated Sale Tracking Fraud Protection plugin that uses MD5 checksums to verify transaction authenticity.

How It Works

1. When a sale is tracked, the system computes an MD5 checksum using the total cost, order ID, and a secret key
2. This checksum must be included with the sale tracking request
3. The system recomputes the checksum and compares it with the submitted value
4. If the checksums do not match, the transaction is declined

Configuration Options

• Global Secret Key: Set a default secret key for all campaigns
• Campaign-Specific Keys: Override the global key with unique keys per campaign for additional security
• Checksum Parameter: Choose which data field carries the checksum (data1 through data5)

This protection ensures that only legitimate sales from your website are tracked, preventing fraudulent transaction submissions from outside sources.

Click Fraud Protection

Post Affiliate Pro monitors all clicks and can automatically decline or discard fraudulent ones.

Detection Methods

Duplicate Click Detection: Identifies clicks from the same IP address within a configurable time period:

• Set the time window in seconds
• Optionally require same user agent for duplicate detection
• Optionally require same banner or campaign for stricter detection
• Choose to decline (mark as fraudulent) or not save the click

Banned IP Protection: Block clicks from known bad actors:

• Define banned IP addresses and ranges
• Clicks from banned IPs are automatically declined or discarded
• Separate settings available per account

Banned Referrer Protection: Block clicks from suspicious referrer URLs:

• Define patterns for banned referrer URLs
• Prevents click fraud from certain websites or traffic sources

Allowed IP/Referrer Lists: Create whitelists for legitimate traffic:

• Only accept clicks from approved IP ranges
• Only accept clicks from approved referrer URLs
• Option to allow empty referrers
• Option to allow banner destination domains

Fraud Protection Actions

For each type of detection, you can choose:

• Decline: Save the click but mark it as declined (visible in reports)
• Don’t Save: Discard the click entirely (not saved to database)

Action/Sale Fraud Protection

Similar protections exist for sales and lead tracking.

Duplicate Detection

Duplicate Orders from Same IP: Detect multiple sales from the same IP address:

• Configurable time window in seconds
• Optional matching by user agent, campaign, product ID, order ID, or commission type
• Prevents rapid-fire fraudulent sale submissions

Duplicate Order IDs: Detect sales with the same order ID:

• Configurable time window in hours
• Optional matching by campaign or product ID
• Prevents duplicate commission payouts from page refreshes or replay attacks

Order Locking

When processing a sale, the system locks the order ID temporarily:

• Prevents race conditions when the same order is submitted multiple times simultaneously
• Lock expires after 60 seconds
• Blocked duplicate orders receive clear error messages

IP and Referrer Protection

Sales inherit the same banned/allowed IP and referrer protections as clicks:

• Block sales from banned IP addresses
• Block sales from banned referrer URLs
• Allow sales only from whitelisted IPs or referrers
• Custom decline messages for each type of protection

Two-Factor Authentication

Post Affiliate Pro supports TOTP (Time-based One-Time Password) two-factor authentication for enhanced account security.

Implementation

• Uses standard TOTP algorithm compatible with Google Authenticator and similar apps
• Generates a unique secret key per user stored securely in user attributes
• Provides QR codes for easy mobile app setup
• Validates codes with a 90-second window (3 periods of 30 seconds each)

Security Features

• Rate Limited: Two-factor code validation is limited to 5 attempts per minute
• Session Invalidation: Enabling 2FA invalidates all other active sessions for that user
• Password Request Invalidation: Pending password reset requests are invalidated when 2FA is enabled
• Audit Logging: 2FA activation is logged in the audit trail

Availability

Two-factor authentication is available for both:

• Merchant panel users
• Affiliate panel users

Each user can enable 2FA independently through their profile settings.

Security Best Practices

To maximize the security of your Post Affiliate Pro installation:

API Security

1. Rotate API keys regularly: Set expiration dates and replace keys periodically
2. Use minimal scopes: Only grant the permissions each integration actually needs
3. Implement IP whitelisting: Restrict API access to known server IPs
4. Monitor usage: Review API key usage counts and last-used timestamps
5. Use OAuth for third parties: Prefer short-lived OAuth tokens for external integrations

Account Security

1. Enable two-factor authentication: Require 2FA for all merchant accounts
2. Use strong passwords: Combine with 2FA for maximum protection
3. Configure login rate limits: Set appropriate limits to prevent brute-force attacks
4. Implement IP restrictions: Use allowed IP lists for sensitive accounts
5. Review audit logs: Regularly check the audit log for suspicious activity

Fraud Prevention

1. Enable sale fraud protection: Use the MD5 checksum verification for all campaigns
2. Configure duplicate detection: Set appropriate time windows for your business model
3. Use IP banning proactively: Block known fraudulent IP ranges
4. Monitor declined transactions: Review declined clicks and sales for patterns
5. Customize fraud messages: Clear messages help legitimate users understand rejections

Knowledge Base Resources

For detailed configuration instructions, visit our support documentation:

• API v3 Documentation
• API Key Management
• OAuth Token Creation
• Fraud Protection Configuration