Application security & protocols
In Play Digital Signage, we take security of your data very seriously. This page gives a brief summary of the security procedures at Play Digital Signage
How is my web account secured?
We have outsourced the identity management to the professionals at Auth0. We don’t store any of your credentials in our servers, but use Auth0 as our authentication provider. Upon successful authentication Auth0 will generate a secure Json Web Token (JWT) that will be used by our servers to validate your identity. The JWT is signed by HMAC-SHA 256 bit algorithm. Guys at Auth0 keep up with the latest security news, standards and updates, so that we can focus on digital signage!
Your web chat is managed by crisp.chat, yet another security conscious company.
How are my files secured?
Your files are hosted on Amazon S3 service, world’s most used file storage service. While we can not make the files private, because the players need to be able to download the files from the Internet, we generate a unique id for each file, so the URL is virtually impossible to guess. For an example this is the URL of an uploaded file:
An attacker has better chances of guessing your password! (so make sure it’s secure)
How secure are communications?
All connections to our servers are HTTPS, that means that the traffic is encrypted, that includes web-socket connections.
The Internet traffic is routed through Cloudflare network, which protects our servers against Denial Of Service (DoS) and brute force attacks.
How are players secured?
When a player is linked to a user account, the server generates a unique secret token that is sent to the player once. Every subsequent request made by the player to our servers requires the token to be present in order to prevent malicious attacker from impersonating as the player itself. The weakest link is the physical player security, so make sure it’s out of sight and if possible, then out of reach!
Which external services the players connect to?
In case the player is behind a corporate firewall, you need to white-list following domains:
- We recommend whitelisting all subdomains of *.playsignage.com to be future-proof. If wildcard white-listing is not possible, then the player may also use following sub-domains:
- release.playsignage.com (only for Windows / OSX / Linux players to auto-update)
- quotes.playsignage.com (Quote plugin is using this endpoint to fetch quotes)
- onthisday.playsignage.com (Today In History plugin is using this endpoint to fetch data)
- proxy.playsignage.com (Weather, Facebook and Instagram plugin use this domain)
- my.playsignage.com (Location of proxy used to fetch insecure non-HTTPS web resources)
- logging.playsignage.com (Optional, for us to receive player logs)
- images.unsplash.com (When using images from the Unsplash plugin)
- js.logentries.com (Optional, for us to receive player logs that are helpful when debugging)