The Data Builder module provides the most robust solution for Restful API for Perfex CRM and GraphQL for Perfex CRM. Beyond standard Perfex tables, it supports data queries across ALL database tables, including those from third-party integrated modules. Furthermore, Data Builder enables exposing localized datasets via REST API for Perfex for Reports, Report Groups, and external integrations. To ensure these powerful “API for Perfex” features operate securely, mandatory configurations at the Web Server and Database levels are required.
API Explorer endpoints documentation: https://databuilder.polyxgo.com/api_docs
1. Slow HTTP Attack Protection
Slow HTTP attacks (like Slowloris) attempt to keep connections open as long as possible by sending data very slowly. PHP cannot mitigate this because it occurs at the connection layer before reaching the application.
Apache (Recommended)
Enable mod_reqtimeout and add the following to your VirtualHost or .htaccess:
Nginx
Add these directives to your server {} or location /api/ {} block:
2. Binary Body Size Limit Alignment
Every request through the Restful API for Perfex CRM passes through an internal DDoS shield with a default body size limit of 256KB. You should configure your Web Server to match this limit for optimal resource usage.
Apache: LimitRequestBody 262144
Nginx: client_max_body_size 256k
3. MySQL Permission Hardening
Tables containing rate counters (tbldata_builder_api_rate) and audit logs (tbldata_builder_api_logs) must be strictly protected. Only the core application database user should have write access to these tables.
4. Use a Reverse Proxy / WAF (Cloudflare)
When using GraphQL for Perfex CRM in high-traffic environments or facing large-scale DDoS attacks (Layer 3/4), utilizing a WAF like Cloudflare or AWS WAF is highly recommended.
Example Cloudflare Rate Limiting Rule:
Match: URI path contains /api/data_builder/v1/
Action: Limit to 500 requests per minute per IP.
Response: 429 Too Many Requests.
5. Enforce HTTPS
All data transmitted via Restful API or GraphQL must be encrypted over HTTPS to prevent Bearer Token interception and sensitive data leaks.
Apache Configuration (.htaccess):
Production Security Checklist
Ensure your API for Perfex environment is production-ready:
Configured Slow HTTP protection (Apache/Nginx).
Aligned client_max_body_size with the application limit (256KB).
Hardened MySQL permissions for rate limit and log tables.
Enforced HTTPS for all /api/data_builder/v1/ routes.
Set up Cloudflare/WAF for high-traffic environments.
Keep api_allow_query_token disabled unless strictly required.
Configured log retention cron job (default: 90-day retention).
By following this guide, you ensure that your Perfex CRM API ecosystem is both robust and secure!
Explore Data Builder for Perfex CRM to unlock powerful RESTful API and GraphQL capabilities with enterprise-grade security and full database coverage.