The Data Builder module provides the most robust solution for Restful API for Perfex CRM and GraphQL for Perfex CRM. Beyond standard Perfex tables, it supports data queries across ALL database tables, including those from third-party integrated modules. Furthermore, Data Builder enables exposing localized datasets via REST API for Perfex for Reports, Report Groups, and external integrations. To ensure these powerful “API for Perfex” features operate securely, mandatory configurations at the Web Server and Database levels are required.
API Explorer endpoints documentation: https://databuilder.polyxgo.com/api_docs
1. Slow HTTP Attack Protection
Slow HTTP attacks (like Slowloris) attempt to keep connections open as long as possible by sending data very slowly. PHP cannot mitigate this because it occurs at the connection layer before reaching the application.
Apache (Recommended)
Enable mod_reqtimeout and add the following to your VirtualHost or .htaccess:
# Protect against slow-read and slow-header attacks
RequestReadTimeout header=20-40,MinRate=500 body=30,MinRate=500Nginx
Add these directives to your server {} or location /api/ {} block:
client_header_timeout 10s;
client_body_timeout 10s;
client_max_body_size 256k;
keepalive_timeout 30s;
send_timeout 10s;2. Binary Body Size Limit Alignment
Every request through the Restful API for Perfex CRM passes through an internal DDoS shield with a default body size limit of 256KB. You should configure your Web Server to match this limit for optimal resource usage.
- Apache:
LimitRequestBody 262144 - Nginx:
client_max_body_size 256k
3. MySQL Permission Hardening
Tables containing rate counters (tbldata_builder_api_rate) and audit logs (tbldata_builder_api_logs) must be strictly protected. Only the core application database user should have write access to these tables.
-- Revoke permissions from monitoring/reporting users
REVOKE SELECT, INSERT, UPDATE, DELETE ON your_db.tbldata_builder_api_rate FROM 'readonly_user'@'%';
-- Grant access only to the application user
GRANT SELECT, INSERT, UPDATE, DELETE ON your_db.tbldata_builder_api_rate TO 'app_user'@'localhost';4. Use a Reverse Proxy / WAF (Cloudflare)
When using GraphQL for Perfex CRM in high-traffic environments or facing large-scale DDoS attacks (Layer 3/4), utilizing a WAF like Cloudflare or AWS WAF is highly recommended.
Example Cloudflare Rate Limiting Rule:
- Match: URI path contains
/api/data_builder/v1/ - Action: Limit to 500 requests per minute per IP.
- Response: 429 Too Many Requests.
5. Enforce HTTPS
All data transmitted via Restful API or GraphQL must be encrypted over HTTPS to prevent Bearer Token interception and sensitive data leaks.
Apache Configuration (.htaccess):
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} ^/api/data_builder/
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Production Security Checklist
Ensure your API for Perfex environment is production-ready:
- Configured Slow HTTP protection (Apache/Nginx).
- Aligned
client_max_body_sizewith the application limit (256KB). - Hardened MySQL permissions for rate limit and log tables.
- Enforced HTTPS for all
/api/data_builder/v1/routes. - Set up Cloudflare/WAF for high-traffic environments.
- Keep
api_allow_query_tokendisabled unless strictly required. - Configured log retention cron job (default: 90-day retention).
By following this guide, you ensure that your Perfex CRM API ecosystem is both robust and secure!
Explore Data Builder for Perfex CRM to unlock powerful RESTful API and GraphQL capabilities with enterprise-grade security and full database coverage.
Leave a Reply