какво става като се смени API ключа?
сигнатура която да включва и User ID, от наша страна проверяваме тази сигнатура като вземем и ID-то от API ключа и правим проверка дали това а активен потребител
да правим проверка от къде идва заявката - трябва да е от Bmap

как да защитим публични заявки към някой tool?
трябва ли да може да се достъпва не само от widget а директно от tool-a?



Как да защитим proxy завките?
1. Mutual Authentication - TLS handshake from both servers set up as server level
	How Mutual Authentication Works in Practice
	TLS Handshake Initisecurity_widgetation:
	The client initiates a connection to the server.

	Server Certificate Presentation:
	The server presents its certificate to the client, which the client validates using trusted CAs (this is standard TLS).

	Requesting Client Certificate:
	After verifying the server’s certificate, the server requests a client certificate (as configured with SSLVerifyClient require or ssl_verify_client on).

	Client Certificate Presentation:
	The client presents its certificate. The server checks this certificate against its list of trusted CAs (using the file set in SSLCACertificateFile or ssl_client_certificate).

	Verification and Connection:
	If both certificates validate successfully, a secure, authenticated connection is established, allowing both parties to trust that they are communicating with the intended entity.

2. Data Integrity and Confidentiality at the Application Level
	a. Encrypt and Sign Sensitive Payloads
		Application-level Encryption
		Beyond the transport layer security, consider encrypting the sensitive parts of your payload using robust algorithms (e.g., AES-256). This way, even if the data is intercepted, it remains unreadable without the decryption key.

	Digital Signatures or HMAC
		Sign your messages using HMAC or a digital signature. This verifies the integrity and authenticity of the payload, ensuring that the data has not been tampered with in transit. Tip: Include a timestamp or a nonce in the message to prevent replay attacks.


3. Endpoint Verification and Network Considerations
	DNS and IP Verification
	Occasionally, attackers might attempt DNS hijacking or spoofing. Consider validating the IP address or domain via a secondary verification method (or even DNSSEC, if available) to ensure you are connecting to the correct destination.