Xero - beautiful accounting software

Xero Developer Help Center

Xero Developer Community

Community > Add-ons >

xero certificates for woocommerce integration - security issue?

Started by Xavier Walker -   in Add-ons

Following the guide for integrating woocommerce with xero.

https://docs.woocommerce.com/document/xero/

One thing strikes me as rather alarming: it's suggested that the private certificate and CSR are placed in a public folder on your e-commerce site that potentially anyone can access.

Is it not a security risk giving Joe Public access to your private keys?
HI Xavier

While it's not the best to have the certificate public, just having the certificate isn't enough to use the API to access your Xero company. They would also need the consumer key and secret we generate when you register the application. As WooCommerce doesn't store this publicly, it wouldn't be possible for someone to use the connection.

Hope this helps.

Angela
 

Angela Marshall (Xero Staff)