HCP Registration, Gateway & WAF Best Practices
The HealthSafePay Cloud Platform (HCP) is your secure gateway to Convenient Checkout APIs. This guide covers:
- How to register and authenticate with HCP
- How the HCP Gateway and Azure WAF protect your integration
- Best practices to avoid common WAF/API issues
1. HCP Registration & API Authenticationβ
Convenient Checkout APIs are available through HCP for merchants, partners, and internal users.
Registration Stepsβ
- Visit the HCP site and review onboarding for the Commerce package.
- Register your application in HCP and request access to CCG APIs with the required scopes (API Access Levels).
- Configure API access: After approval, use your client credentials (ID/secret) for authentication.
- Explore the HCP Console to manage clients, keys, and API usage.
- Browse the API Catalog for available APIs and docs.
- STAGE:
rg-common-checkout-nonprod(non-prod) - PROD:
rg-common-checkout-prod(production)
2. HCP Gateway & WAF: What to Watch Forβ
The HCP Gateway uses Azure Web Application Firewall (WAF) to protect your APIs. Some requests may be blocked if they donβt follow best practices.
| Scenario | Impact | How to Fix |
|---|---|---|
| URLs in POST body not encoded | Request blocked | Percent-encode all URLs in POST bodies |
GET with Transfer-Encoding header | Request blocked | Never send this header on GET |
Missing Accept header | Request blocked | Always send Accept on GET |
| Other WAF triggers | Request blocked | See best practices below |
3. Common WAF Block Scenariosβ
1. URLs in POST Body (Encoding Required)
Example fields:
config.privacypolicyurlappearance.font.fontSources.cssSrcappearance.merchantlogo
Remediation: Always percent-encode URLs in POST request bodies.
2. GET Requests with Transfer-Encoding Header
Including this header on GET requests will trigger the WAF and block the request.
Remediation: Never include Transfer-Encoding on GET requests.
3. Missing Accept Header
Azure WAF blocks GET requests that do not include an Accept header. This affects endpoints like:
/token/setup-payment-methods/sessions/payments/{payment_id}/customers/{customer_id}/payment-methods/payment-methods/search
Remediation: Always include an Accept header on GET requests.
4. Other Best Practices
- GET or HEAD requests should not have a body
- POST requests must have a valid JSON body
- Avoid SQL characters in request bodies
- Encode all URLs in request bodies
4. Best Practices for API Securityβ
- Store client credentials and API keys securely
- Rotate secrets regularly
- Use least-privilege API scopes (see access levels)
- Monitor API usage and set up alerts for unusual activity
5. Troubleshooting & Supportβ
- Splunk: HCP Gateway WAF Blocks (Non-Prod)
- Azure WAF Rule Set Reference
- HCP Team for registration/auth issues
- Contact your HCP administrator or support team
β Quick Checklistβ
- Register and onboard in HCP
- Request correct API scopes
- Store credentials securely
- Encode all URLs in POST bodies
- Never send
Transfer-Encodingon GET - Always send
Accepton GET - No body on GET/HEAD
- POST body is valid JSON
- No SQL characters in request bodies
For further information about HCP, visit HCP site