Inbound Connection

Our inbound connection uses an inbound/reverse proxy.

Proxy Definition

The difference between our outbound proxy and our inbound is that the inbound is static and sits between your client side and your server side, while the outbound proxy sits between your server and third parties

What does it allow you to do?

  • Rewrite requests or responses on the fly before data enters or leaves your system.
  • Operate on data outside of the scope of your backend systems.
  • Set/Change/Strip Headers.
  • Modify the payload even if it's not a strict redaction/replacement.

How does it work?

  • You point your client API or Frontend to our reverse proxy and set the upstream in our dashboard to your server DNS.

Example:

  • BEFORE: client.foo.com → server.foo.com
  • AFTER: client.foo.com → <VAULT_ID>.sandbox.verygoodproxy.com → server.foo.com
  • ALTERNATIVELY: you can load your client website/app through the proxy. This is useful if your client and backend do not communicate via API. We can provide a CNAME to whitelabel this when you're ready to use for production.

The inbound/reverse proxy directs traffic between the client-side (inbound) traffic, the VGS vault (where sensitive data is stored), and your backend systems as illustrated by the below image.

inbound-connection-client-server

Try it out

Run this sample code snippet in your terminal to see an example of data redaction. Please note, this is a sample test vault.

curl {VAULT_URL}/post \
  -H "Content-type: application/json" \
  -d '{"account_number": "ACC00000000000000000"}'
This is a sample VGS echo server.
This is a HTTP port number to access.
This is an example of your API endpoint.
This is an example of your Credit reporting API endpoint.
This is an example of your Issuing platform API endpoint.
This is alias which you receive on redact step from your payload value. Please observe the code snippet of redact step.
More about the aliases available formats you can read at nomenclature page.
This is alias which you receive on redact step from your payload value. Please have a look on code snippet of redact step.
More about the available formats of alias you can read here.
This is a sample vault id.
Sign in to see your personalized example.
This is a vault id.
Sign in to see your personalized example.
This is a vault id.
Sign in to see your personalized example.
This is your vault id.
These are an access credentials for a sample test vault.
These are an access credentials for a sample test vault.
This is a placeholder for your access credentials.
This is a sample vault url.
Sign in to see your personalized example.
This is a sample proxy vault url.
This is your vault url.
This is your proxy vault url.
This is a sample vault host.
This is your vault host.
This is your current Organization ID.
A pre-generated JS script placeholder for your current organization.
Sign in to see your personalized example.
A pre-generated JS script placeholder for your current organization.
Please talk to support in order to enable it for this organization.
This is your pre-generated JS script for your current organization.
The unique name that identifies a specific iframe.
Unique client ID used for VGS CLI authentication.
Please contact VGS Support in order to enable it for your organization.
Client secret used for VGS CLI authentication.
Please contact VGS Support in order to enable it for your organization.
Version of the CLI published on quay.io.
Command on the VGS CLI.
This is a full path to the certificate file.
This option allows curl to proceed without providing a TLS certificate. If you'd like to include your certificate, use --cacert [FILE].
Check out data revealing code snippet for outbound connection.

Example with a html form submit

Let's take the easiest use case, an HTML form posting credit card data. You can serve your content via the proxy https://<VAULT_ID>.SANDBOX.verygoodproxy.com and this form will work with a sample echo server filter.

<form class="form-horizontal2 boxed" method="post" action="/post">
    <!--CREDIT CARD PAYMENT-->
    <div class="panel panel-info">
        <div class="form-group">
            <div class="col-md-12">
                <label for="pan_number" id="pan_number_label">Credit Card Number</label>
                <input class="form-control" placeholder="Card Number" type="text" name="cc_number" id="pan_number" value="">
            </div>
        </div>
        <div class="form-group">
            <label for="pan_exp" id="pan_exp_label">CC Expiration</label>
            <input class="form-control" placeholder="Card Expiration" type="text" name="cc_exp" id="pan_exp">
        </div>
    </div>
    <div class="form-group">
        <label for="pan_cvv" id="pan_cvv_label">CC CVV</label>
        <input class="form-control" placeholder="CVV" type="text" name="cc_cvv" id="pan_cvv" value="">
    </div>
    <div class="form-group">
        <span>Pay securely using your credit card</span>
    </div>
    <button type="submit">Place Order</button>
</form>
This is a sample VGS echo server.
This is a HTTP port number to access.
This is an example of your API endpoint.
This is an example of your Credit reporting API endpoint.
This is an example of your Issuing platform API endpoint.
This is alias which you receive on redact step from your payload value. Please observe the code snippet of redact step.
More about the aliases available formats you can read at nomenclature page.
This is alias which you receive on redact step from your payload value. Please have a look on code snippet of redact step.
More about the available formats of alias you can read here.
This is a sample vault id.
Sign in to see your personalized example.
This is a vault id.
Sign in to see your personalized example.
This is a vault id.
Sign in to see your personalized example.
This is your vault id.
These are an access credentials for a sample test vault.
These are an access credentials for a sample test vault.
This is a placeholder for your access credentials.
This is a sample vault url.
Sign in to see your personalized example.
This is a sample proxy vault url.
This is your vault url.
This is your proxy vault url.
This is a sample vault host.
This is your vault host.
This is your current Organization ID.
A pre-generated JS script placeholder for your current organization.
Sign in to see your personalized example.
A pre-generated JS script placeholder for your current organization.
Please talk to support in order to enable it for this organization.
This is your pre-generated JS script for your current organization.
The unique name that identifies a specific iframe.
Unique client ID used for VGS CLI authentication.
Please contact VGS Support in order to enable it for your organization.
Client secret used for VGS CLI authentication.
Please contact VGS Support in order to enable it for your organization.
Version of the CLI published on quay.io.
Command on the VGS CLI.
This is a full path to the certificate file.
This option allows curl to proceed without providing a TLS certificate. If you'd like to include your certificate, use --cacert [FILE].

In this example form, on any press of the submit button we post to the path in the action attribute in the form tag:

Once you have this set-up you can work on your transformers and filters.

Encrypted Communication

VGS supports encryption to protect communications between VGS and your web application. VGS supports the TLS cryptographic protocol. Support for anything less than TLS1.2 is officially deprecated.

For more information regarding TLS:

If you need any help contact us on site chat or support@verygoodsecurity.com.