Skip to main content
Developers Repository

Security

This document serves as a guide for the Security in govgr, part of the technical documentation for developers implementing solutions within the gov.gr ecosystem. It outlines the basic principles of secure implementation and best practices for applications that interact with gov.gr platforms and handle sensitive or personal data.

Token Storage & Session Management

  • Do not store access tokens in localStorage or sessionStorage.
  • Use HTTP-only secure cookies for session management.
  • Implement refresh flows for renewing tokens and use short-lived access tokens (≤ 1 hour).

Protection Against Token Injection in URLs

  • Never send tokens via URL parameters (query params).
  • access_token and refresh_token must be transmitted via a secure channel (body or headers).

Secure Communication (HTTPS)

  • All API calls and redirect URIs must use HTTPS.
  • SSL/TLS certificates must be valid and up to date.

Audit Logs & Logging

  • All calls to public services (e.g., SOE, EMEP) must include an auditRecord.
  • Your logs must not contain tokens or personally identifiable information (PII).
  • Log both successes and failures in a secure logging system.

Access Restriction with Roles

  • Apply RBAC (Role-Based Access Control) where possible.
  • Confirm scopes and roles from the decoded token before performing sensitive actions.

Personal Data – GDPR

  • Do not store users’ personal data without their consent.
  • Support users’ right to delete and port their data.
  • Data (e.g., AFM, name, email) must be accessible only to authorized services.

Security Headers & CORS Policies

  • Add security headers (e.g., Content-Security-Policy, X-Content-Type-Options, etc.).
  • Configure CORS to allow requests only from approved origins.

Common Mistakes and How to Avoid Them

    • Mistake: Storing tokens in localStorage.
    • Recommended: Use secure cookies instead.
    • Mistake: Logging personal details
    • Recommended: Anonymize or hide them.
    • Mistake: Using the same credentials for test & prod
    • Recommended: Separate credentials for each environment.
We'd love your feedback
Was this helpful?