We recommend taking the following steps to increase security for your MaxMind account.

 

Account

 

License keys

  • Treat your license key like a password, and store it securely (e.g. in a password manager).
    • We hash license keys on our end, so it will only be displayed to you, in full, once at the time of generation.
  • When using your license key in your code, make sure you store it securely.
    • Never store your license key where it can be read by other users on shared resources (e.g. version control, code, public HTML, etc.) 
  • Replace your license key if you suspect it is compromised.
 

Service usage

  • Use HTTPS with TLS v1.2+ to secure your requests to MaxMind services.
    • Support for TLS v1.0 and v1.1 (all services), and unencrypted HTTP requests to MaxMind legacy minFraud services end on October 16, 2019.
    • We continue to support HTTP requests to GeoIP services, but we highly recommend the use of HTTPS with TLS v1.2+
  • If you are using a MaxMind client API, ensure you are using the latest version.
  • For automating GeoIP downloads, use GeoIP Update version 3.1.1 or greater.
    • GeoIP Update versions before 3.1.1 transformed the license key in a way that we are unable to compare what is sent with a hashed key on our side. To take advantage of the hashed license key security feature, you would need to upgrade to version 3.1.1 or higher.  
    • Older versions of GeoIP Update will continue to work, but we highly recommend upgrading when possible. A guide for upgrading is available in our developer documentation, and our latest version of GeoIP Update is available here
  • If you use the client-side GeoIP2 JavaScript API, we recommend integrating with our other GeoIP2 Precision Web Service client APIs or GeoIP2 databases instead.
    • A server-side integration is more secure and robust than a client-side integration. If you choose to integrate using the GeoIP2 JavaScript Client API, we recommend monitoring your query usage for unexpected spikes.
  • If you use the minFraud service, ensure you’re only sending the intended data for an input, as described in our documentation, to avoid accidentally sharing sensitive information (e.g. never pass a full credit card number as the IIN input).
 

Communications

  • Avoid sending sensitive account information such as license keys or account passwords in emails. We will never ask you to send us passwords or full license keys.
  • If you are unsure whether an email you receive is from MaxMind, please contact us. If you are unsure about links in suspicious emails, please navigate to our website directly.
 

Contact us if you have any questions or if you notice suspicious activity on your account.