Security best practices | Documentation

There are widely known recommended best security practices to employ in your code and development processes. All client-side code is at risk of compromise, and a security breach in your application could lead to a hacker accessing services on your behalf, accessing resources to which they are not entitled, potential data loss, or other potential risks.

It important that you minimize your app's potential risks and exposure to harm, hacking, or security breach. This site cannot present comprehensive security advice or risk-mitigation, but offers a few, practical building blocks to help you think about building applications that use good security precautions throughout their design, development, and ongoing maintenance.

General tips

The following security best practices should be considered regardless of your chosen type of authentication:

Best practice	Explanation
Use an ArcGIS API	The recommended workflow for applications requiring security is to use the appropriate client SDK object model to connect to and authenticate with ArcGIS OnlineArcGIS Online is a GIS mapping, analytics, data hosting, and content management software as a service (SaaS) product. It includes applications, tools, APIs, and location services for users and developers. It is subscription-based and requires an ArcGIS Online account.Learn more rather than to program abstractly using REST API. Connecting and authenticating via the client SDKs frees you from both managing authentication details as well as from the responsibility to safely handle user credentials during the authentication process.
Use HTTPS	All ArcGIS Location Services require HTTPS. We strongly recommended that you host any web applications and services using HTTPS support. This helps prevent man-in-the-middle and packet sniffer attacks. Further, you should fully validate the certificate with a trusted certificate authority (CA).
Keep your application up to date	Maintain support for the most up-to-date web browsers and native devices in your application. Use the latest versions of APIs, SDKs, and client libraries whenever possible.
Session-based access	If your application's users are authenticated externally but remain unknown to ArcGIS, you can restrict access to your server-side component by authenticating each user session. This assumes that your app users are not malicious, but contains some risk.
Use a CAPTCHA	If you are worried about bots and automation driving up your usage, you can also implement a human validator (or Turing test) such as a CAPTCHA to differentiate humans from bots. Google's reCAPTCHA is a familiar implementation of this kind of validator that will not cause significant impact to your user experience, but does require that the application incorporate a CAPTCHA extension.
Adhere to a security policy	Perform code reviews and validate adherence to your organization's security policy. Use a third-party testing service to verify your secure implementation.
Send access tokensAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more in the header of HTTP requests	Passing an access token in the HTTP header is generally more secure than including them in the URL query string. Query parameters may be logged in browser history, server logs, or intercepted more easily, potentially exposing sensitive information.

API key authentication

API keysAn API key is a long-lived access token created using API key credentials. They are valid for up to one year and are typically embedded directly into client applications.Learn more are designed to be included in public-facing applications, for example embedding them within a web application. This means that your API key could be exposed to any of your application's users. In order to prevent abuse of your API keys, we recommended the following best practices:

Best practice	Explanation
Never commit API keys	You should never commit sensitive information into a source control system such as Git or SVN.
Limit the privileges of keys	Limit the privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more of your API key to prevent misuse.
Access location services	API key authentication can be used to create public applicationsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more that access ArcGIS Location ServicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more.
Access private items (non-confidential data only)	API key authentication can be used to access private itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more in a portal that are owned by the developer's account. Ensure the data associated with the item is not sensitive or confidential in nature.
Don't use API keys for sensitive information	While API keys can be used to access private items and data layers, they should never be used to access information that is confidential. If your app needs to work with confidential information, use ArcGIS Online or ArcGIS Enterprise to implement a more secure type of authentication.
Use client referrers	Set up allowed referrers to restrict which clients are permitted to use specific API keys. While this can be circumvented, it adds a layer of difficulty for anyone wishing to abuse your keys.
Monitor key usage	Monitor usage of your API key to ensure it is used only by your applications. If you see unexpected spikes, rotate your API key for a new one.
Keep API key expiration short	You must set the expiration date of an API keyAn API key is a long-lived access token created using API key credentials. They are valid for up to one year and are typically embedded directly into client applications.Learn more when creating it, either through your portal or programmatically. By requesting API keys that expire quickly, you limit the time-frame when an attacker could use a compromised token.
Rotate API keys regularly	Rotate and delete your API keys periodically and routinely, replacing existing API keys with new API keys. To learn how to rotate keys, go to API key credentials.
Invalidate unused keys	Proactively invalidate unneeded or older API keys to minimize the risk of exposure, or dissemination.
Require application sign-in	If you are building a public applicationA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more for users without ArcGIS accountsAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more, you may prefer to request that users register to use your application in order to reduce public access to your API keysAn API key is a long-lived access token created using API key credentials. They are valid for up to one year and are typically embedded directly into client applications.Learn more.
Authenticate in personal scripts	API keys can be used to provide authentication for personal applications intended for use only by you, the developer. API keys can be granted a limited set of privileges to support specific portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more operations and other security‑sensitive tasks. Use these API keys with caution, and protect them as you would your username and password.

User authentication

Best practice	Explanation
Choose user authentication when possible	If your use case does not require your application to be publicA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more, always choose user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more over other authentication methods. If your users do not have ArcGIS accountsAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more, you may prefer to request that users register to use your application in order to reduce public access to your API keysAn API key is a long-lived access token created using API key credentials. They are valid for up to one year and are typically embedded directly into client applications.Learn more. Requiring registration and/or sign in gives you more control over your app. You can more easily ensure that only authenticated users access private content and location services.
Protect your client credentials	Never expose your `client_secret` or account login information. Anyone in possession of your `client_secret` or other sensitive information could use that information to create access tokens and access content and services that are billed to your account.
Avoid embedding access tokens	Try to never include any sensitive information such as access tokensAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more as literal strings in your code.
Keep token expiration short	You can use an `expiration` parameter when requesting a tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more to establish the length of time in which that token is valid. By requesting shorter tokens, you limit the time-frame when an attacker could use a compromised token.
Don't commit credentials	Never commit sensitive information into a source control system such as Git or SVN.
Use an OAuth 2.0 authorization code flow	User authentication supports several different workflows. Always choose a flow that adheres to the OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more specification, specifically the Authorization code flow for server-side apps and the Authorization code flow with PKCE for client applications. All ArcGIS Maps SDKsArcGIS Maps SDKs are developer products for building mapping and spatial analysis applications for web browsers, native devices, and game engines.Learn more already implement an authorization code flow with PKCE by default via the `AuthenticationManager` and `IdentityManager` classes.

App authentication

Best practice Explanation

Use app authentication instead of API keys Both app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more and API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more can be used to build public applicationsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more. App authentication provides significantly more security for your application because the access tokens expire after 2 weeks and the client_id and client_secret are securely stored on a server-side component. App authentication should be used if a higher-level of security is required than API key authentication provides.

Authenticate for web servers App authentication can be used to provide authentication for personal applications used by only you, the developer. If required in these situations, access tokens can contain privileges for portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more operations and other tasks requiring additional security. Use these access tokens with caution, and protect them as you would your username and password.

Best practice	Explanation
Use app authentication instead of API keys	Both app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more and API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more can be used to build public applicationsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more. App authentication provides significantly more security for your application because the access tokens expire after 2 weeks and the `client_id` and `client_secret` are securely stored on a server-side component. App authentication should be used if a higher-level of security is required than API key authentication provides.
Authenticate for web servers	App authentication can be used to provide authentication for personal applications used by only you, the developer. If required in these situations, access tokens can contain privileges for portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more operations and other tasks requiring additional security. Use these access tokens with caution, and protect them as you would your username and password.

| Access location services | App authentication can be used to create public applicationA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more that access ArcGIS Location ServicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more. | Access private items you own | App authentication can be used to access private itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more in a portal that are owned by the developer's account. | Access sensitive information with caution | Accessing private items using app authentication is an improvement in security over API keys. However, care must be taken with both the client application and the server-side component to not expose confidential aspects of the private information being accessed. | Lock the server-side component to the application | Your server-side component should use appropriate mechanisms in order to only accept requests that originate from your client application. This includes validating CORS headers, as well as other infrastructure-specific implementations based on how your server is created and hosted. | Protect your client credentials | Never expose your client_secret or account login information. Anyone in possession of your client_secret or other sensitive information could use that information to create access tokens and access content and services that are billed to your account. | Avoid embedding access tokens | Try to never include any sensitive information such as access tokensAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more as literal strings in your code. | Don't commit credentials | Never commit sensitive information such as your client_secret into a source control system such as Git or SVN. |