A Guide to Keeping Your Web3 Project Secure

Just because you're building a blockchain application doesn't automatically guarantee your project is immune to bad actors. Security should always be a top priority. In this post, we'll introduce you to some new security settings that you can use to keep your Web3 project secure.

Activating Infura’s Security Tools

With our new project-specific security settings, you can now have more control over how your Project ID is used. To configure them, head to your Infura Dashboard and navigate to your Project Settings page.

On your Settings page, you will see some powerful new configurable security settings. Here’s what they do:

Securing With Rate Limiting Settings

⚙️ Per Second Requests Rate-Limiting

This setting allows you to set the maximum number of requests per second (decimal value, e.g., 1.2). If at any point, your rate exceeds the value set for your project, requests will be rejected. Once enough time has passed that the rate has decreased below the limit again, you will be able to make requests again.

⚙️ Per Day Total Requests Rate-Limiting

This setting allows you to set a limit on the total number of requests per day (integer value, e.g., 20000). Once your project hits this limit, all requests will be rejected until the next day (00:00 UTC).

Securing With JWTs

⚙️ JWT Required

Sometimes, a project may have more complex security requirements, where it needs to be able to authorize other parties to use its Project ID, but with specific limitations. Using JSON Web Tokens (JWTs) can provide a project with more flexibility in allowing users and other third parties to use its Project ID. By default, requests are not required to include a JWT. However, if you want to require that all requests using your project ID include a JWT, you can toggle the JWT Required setting.

⚙️ JWT Public Keys

Here you can designate the public key (or keys) that will be used to verify JWTs.

Securing With Method Allowlists

⚙️ Allowlist API Request Method

You can restrict requests using your Project ID to specific Ethereum methods. If the list is not empty, then any method calls not specified in the list will be rejected. For example, if you had a project that analyzed data in a contract using only the functions provided by the contract, you could include eth_call in the method allowlist.

Visit our docs to see in-depth examples and best practices for your new Project Security Settings.


As always, if you need help at any time, join the Infura Community to connect with the team or drop us an email at [email protected].