Best Practices
Overview
At Dynamic, we prioritize flexibility and choice. While we offer a range of tools to enhance security for your applications and wallets, we recognize that not every feature may align with your risk profile and use case. For instance, you can require an MFA at sign-up, but this extra step might be unnecessary for users who haven’t yet built up many assets. That’s why MFA is recommended rather than required for using Dynamic.
As a developer, you have the freedom to evaluate what best suits your risk profile, business requirements, and user preferences. We encourage you to implement the highest security practices that align with your application and UX requirements Dynamic powered Embedded Wallets are self-custodial by design. It is important that you determine how to use them and evaluate what structure works best for your business and users.
While we prioritize flexibility and choice, we maintain certain requirements and recommended best practices to ensure the security for all developers, regardless of their level of sophistication.
| Security Measure | Requirement Level | Description |
|---|---|---|
| Allowed domains (CORS origin) | Recommended | Prevents malicious domain impersonation. Required in certain scenarios. |
| Content Security Policies (CSP) | Recommended | Mitigates Cross-Site Scripting (XSS) attacks. |
| Third Party App connection checks (Global Wallet Kit specific) | Required for Global Wallets | Helps prevent users from connecting to malicious third party applications |
| Multi-Factor Authentication (MFA) | Recommended | Enhances account security, excluding SMS as a sole method. |
| Recovery Shares & Cloud backups | Recommended | Ensures secure and accessible backup options for account recovery. |
| Passcode | Recommended | Adds an additional security factor on the user-share for Dynamic Embedded wallets with TSS-MPC. |
| Transaction security checks | Recommended | Provides added protection for users by checking if a transaction may interact with a known malicious address or is requesting permissions beyond what is expected. If using Dynamic Global wallets, this is required. |
| Transaction simulation | Recommended | Simulates the transaction to ensure users double check the asset amounts and destinations prior to completing an activity. |
| Cookie-based authentication | Recommended | This can mitigate certain types of attacks, such as session hijacking by making the JWT not directly accessible or modifiable by client-side scripts. |
| Roles & Permissions (Dynamic Dashboard) | Recommended | Limit who in your organization can perform read, write or administrative privileges in your account. |
Shared Responsibilities
Security is a collaborative effort between Dynamic, developers and end-users. While Dynamic implements robust security measures to safeguard user assets and ensure a secure infrastructure, it also requires developers to actively contribute and continuously improve security practices.
Dynamic provides foundational security measures such as mitigating XSS attacks, preventing phishing attempts, and utilizing Secure Enclaves for sensitive operations. However, developers play a crucial role in enhancing security by implementing additional measures like multi-factor authentication, continuous transparent communication, and proactive monitoring. Developers should give Dynamic a heads up ahead heightened traffic periods so we can recommend or enhance protections
Together, we work towards creating a resilient ecosystem that prioritizes user protection and maintains trust in our services.
Best Practices
Overview
At Dynamic, we prioritize flexibility and choice. While we offer a range of tools to enhance security for your applications and wallets, we recognize that not every feature may align with your risk profile and use case. For instance, you can require an MFA at sign-up, but this extra step might be unnecessary for users who haven’t yet built up many assets. That’s why MFA is recommended rather than required for using Dynamic.
As a developer, you have the freedom to evaluate what best suits your risk profile, business requirements, and user preferences. We encourage you to implement the highest security practices that align with your application and UX requirements Dynamic powered Embedded Wallets are self-custodial by design. It is important that you determine how to use them and evaluate what structure works best for your business and users.
While we prioritize flexibility and choice, we maintain certain requirements and recommended best practices to ensure the security for all developers, regardless of their level of sophistication.
| Security Measure | Requirement Level | Description |
|---|---|---|
| Allowed domains (CORS origin) | Recommended | Prevents malicious domain impersonation. Required in certain scenarios. |
| Content Security Policies (CSP) | Recommended | Mitigates Cross-Site Scripting (XSS) attacks. |
| Third Party App connection checks (Global Wallet Kit specific) | Required for Global Wallets | Helps prevent users from connecting to malicious third party applications |
| Multi-Factor Authentication (MFA) | Recommended | Enhances account security, excluding SMS as a sole method. |
| Recovery Shares & Cloud backups | Recommended | Ensures secure and accessible backup options for account recovery. |
| Passcode | Recommended | Adds an additional security factor on the user-share for Dynamic Embedded wallets with TSS-MPC. |
| Transaction security checks | Recommended | Provides added protection for users by checking if a transaction may interact with a known malicious address or is requesting permissions beyond what is expected. If using Dynamic Global wallets, this is required. |
| Transaction simulation | Recommended | Simulates the transaction to ensure users double check the asset amounts and destinations prior to completing an activity. |
| Cookie-based authentication | Recommended | This can mitigate certain types of attacks, such as session hijacking by making the JWT not directly accessible or modifiable by client-side scripts. |
| Roles & Permissions (Dynamic Dashboard) | Recommended | Limit who in your organization can perform read, write or administrative privileges in your account. |
Shared Responsibilities
Security is a collaborative effort between Dynamic, developers and end-users. While Dynamic implements robust security measures to safeguard user assets and ensure a secure infrastructure, it also requires developers to actively contribute and continuously improve security practices.
Dynamic provides foundational security measures such as mitigating XSS attacks, preventing phishing attempts, and utilizing Secure Enclaves for sensitive operations. However, developers play a crucial role in enhancing security by implementing additional measures like multi-factor authentication, continuous transparent communication, and proactive monitoring. Developers should give Dynamic a heads up ahead heightened traffic periods so we can recommend or enhance protections
Together, we work towards creating a resilient ecosystem that prioritizes user protection and maintains trust in our services.