v1.1.6 Compliance

Production-ready Swish Integration Checklist

Ensuring a production-ready, secure integration with the NordAPI Swish SDK. Verify each box before deployment.

1) Setup & Configuration

Install the SDK: dotnet add package NordAPI.Swish (latest stable).
Environment Variables: Map SWISH_BASE_URL, SWISH_API_KEY, and SWISH_SECRET.
Webhook secret (optional hardening): Set SWISH_WEBHOOK_SECRET only if you enable the NordAPI signing layer (not Swish baseline).
Redis / persistent nonce store: In production, use a persistent nonce store (Redis/DB). SWISH_REDIS is supported, with aliases REDIS_URL and SWISH_REDIS_CONN. In-memory storage is acceptable for local development or single-instance setups, but not recommended for production scale-out.
mTLS Certificate: Configure client cert via SWISH_PFX_PATH and password via SWISH_PFX_PASSWORD.
Fail-fast / fail-closed validation: Invalid security configuration must fail during service registration/startup or deny the request rather than bypassing verification.
Secrets hygiene: Never commit secrets or certificates. Keep .gitignore blocking *.pfx, *.p12, *.pem, *.key, *.crt, *.cer.

2) Webhook Configuration

Your Swish callback endpoint must be secure. Swish does not send X-Swish-* headers by default. The checks below apply only if you add an explicit signing layer (proxy, gateway, or local test tool) in front of the webhook.

Swish Baseline (Merchant Integration Guide)

HTTPS only: Endpoint served over HTTPS on port 443.
No SNI dependency: Host must support connections without SNI.
Delivery acknowledgment: Return HTTP 200 OK to acknowledge delivery.
IP filtering: Apply IP allowlisting if you use IP filtering in your environment.

Security note: Always verify the raw UTF-8 request body bytes. Any JSON normalization, re-serialization, pretty-printing, or property reordering will break verification.

NordAPI Hardening

Canonical format: <ts_seconds>\n<nonce>\n<body> (UTF-8 bytes).
Timestamp unit: Use Unix timestamp in seconds (UTC), never milliseconds or .NET ticks.
Headers: X-Swish-Timestamp, X-Swish-Nonce, and X-Swish-Signature apply only to the optional NordAPI signing layer.
Constant-time comparison: Use constant-time equality for signature comparisons.

Boundary clarity: Swish provides HTTPS + mTLS transport security. NordAPI adds optional application-layer hardening such as canonical byte verification, Base64 HMAC validation, timestamp checks, and nonce replay protection. Headers like X-Swish-Timestamp, X-Swish-Nonce, and X-Swish-Signature are NordAPI-specific and are not part of the native Swish callback model.

3) Security Checklist

Timestamp tolerance: Enforce clock skew of ±5 minutes.
Message age: Keep message age validation aligned with verifier configuration. Current tests use MaxMessageAge = 10 minutes.
Replay protection: Persistent nonce store active in production where replay protection must survive multi-instance or distributed deployments.
Idempotency: Generate Idempotency-Key once per logical operation and reuse it across retries.
HTTPS / TLS: Enforce TLS 1.2+ and enable HSTS where applicable.
Secrets management: Use environment variables or a secure vault/KeyVault. Do not keep secrets in repo-tracked files.
Structured logging: Log safely without PII or secret leakage.

4) Testing & Verification

Smoke test script:

.\scripts\smoke-webhook.ps1 -Secret <your_secret> -Url <target>

Replay test: Reused nonce must be rejected.
Timestamp validation: Expired timestamps must be rejected.
Expected result shape: Valid signature → HTTP 200. Replay/invalid → consistent non-200 (commonly 401/403 or 409).
Production path checks: Exercise failure paths for missing mTLS certificate and invalid webhook timing/security configuration.

5) Pre-Launch Audit

SWISH_DEBUG and SWISH_ALLOW_OLD_TS are disabled or removed.
Test/staging nonce state is cleared where applicable.
IP allowlisting is configured if your deployment relies on Swish IP filtering.
Docs and runtime behavior match before release.