appfolio-security-basics

# AppFolio Security Basics ## Overview AppFolio manages property portfolios containing tenant PII (SSNs, bank accounts, lease terms), owner financial data, and maintenance vendor records. A breach exposes rent rolls, payment histories, and personally identifiable tenant information across every managed property. Secure every integration point: API credentials, webhook endpoints, and any pipeline that touches tenant or owner financial records. ## API Key Management ```typescript import https from "https"; import axios, { AxiosInstance } from "axios"; function createAppFolioClient(): AxiosInstance { const clientId = process.env.APPFOLIO_CLIENT_ID; const clientSecret = process.env.APPFOLIO_CLIENT_SECRET; const baseUrl = process.env.APPFOLIO_BASE_URL; if (!clientId || !clientSecret || !baseUrl) { throw new Error("Missing APPFOLIO_CLIENT_ID, APPFOLIO_CLIENT_SECRET, or APPFOLIO_BASE_URL"); } return axios.create({ baseURL: baseUrl, auth: { username: clientId, password: clientSecret }, httpsAgent: new https.Agent({ minVersion: "TLSv1.2", rejectUnauthorized: true }), }); } ``` ## Webhook Signature Verification ```typescript import crypto from "crypto"; function verifyAppFolioWebhook(req: Request, res: Response, next: NextFunction): void { const signature = req.headers["x-appfolio-signature"] as string; const secret = process.env.APPFOLIO_WEBHOOK_SECRET!; const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex"); if (...