Security Best Practices

Keep your API credentials and user data secure by following these best practices.

Credential Management

Never Commit Secrets

Never commit API keys, tokens, or credentials to version control.

$
# Add to .gitignore
$
.env
$
.env.local
$
.env.*.local
$
*.key
$
*.pem

Use Environment Variables

Store credentials in environment variables, not in code:

1
// ✅ Good - Use environment variables
2
const client = new HoleFoundationClient({
3
  token: process.env.AUTH0_TOKEN
4
});
5
6
// ❌ Bad - Hardcoded credentials
7
const client = new HoleFoundationClient({
8
  token: "sk_live_1234567890abcdef"
9
});

Rotate Credentials Regularly

• Rotate API keys every 90 days
• Immediately rotate if you suspect compromise
• Use short-lived tokens when possible

Token Security

Store Tokens Securely

Browser Applications:

• Use httpOnly cookies for refresh tokens
• Store access tokens in memory only
• Never use localStorage for sensitive tokens

Server Applications:

• Use encrypted environment variables
• Consider secrets managers (Doppler, dotenvx, Vault)
• Never log tokens

Token Expiration

Our tokens have the following lifetimes:

API Security

Use HTTPS Always

All API requests must use HTTPS. HTTP requests will be rejected.

1
// ✅ Good
2
const client = new HoleFoundationClient({
3
  environment: 'https://api.theholefoundation.org'
4
});
5
6
// ❌ Bad - Will be rejected
7
const client = new HoleFoundationClient({
8
  environment: 'http://api.theholefoundation.org'
9
});

Validate Input

Always validate and sanitize user input before sending to the API:

1
// Validate before sending
2
function validateSearchQuery(query: string): boolean {
3
  if (query.length > 1000) return false;
4
  if (query.includes('<script>')) return false;
5
  return true;
6
}

Rate Limit Handling

Implement exponential backoff for rate-limited requests:

1
async function fetchWithRetry(fn: () => Promise<any>, maxRetries = 3) {
2
  for (let i = 0; i < maxRetries; i++) {
3
    try {
4
      return await fn();
5
    } catch (error) {
6
      if (error.status === 429) {
7
        const delay = Math.pow(2, i) * 1000;
8
        await new Promise(r => setTimeout(r, delay));
9
        continue;
10
      }
11
      throw error;
12
    }
13
  }
14
}

Data Protection

Handle Sensitive Data Carefully

• Encrypt sensitive data at rest
• Use TLS for data in transit
• Minimize data collection
• Implement data retention policies

FOIA Request Privacy

When using the FOIA Dashboard:

• User request data is encrypted
• Personal information is isolated per user
• We comply with GDPR and CCPA
• You can request data export or deletion

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly:

1. Email: security@theholefoundation.org
2. Do not disclose publicly until we’ve addressed it
3. Include steps to reproduce
4. We aim to respond within 48 hours

Security Headers

Our API responses include security headers:

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains

Compliance

The HOLE Foundation API is designed with compliance in mind:

• SOC 2 Type II - Security controls audited
• GDPR - EU data protection compliance
• CCPA - California privacy compliance
• HIPAA - Healthcare data handling (when applicable)

Questions?

• 📧 Security Team: security@theholefoundation.org
• 📚 Documentation: Authentication Guide
• 🔐 Auth0 Docs: Auth0 Security