Resources / Extension Security
Secret management
Treat the client as untrusted—minimize what it knows.
Patterns
- Backend mediation: proxy sensitive calls; never expose raw credentials in the client.
- Short-lived tokens: rotate often; prefer scoped, expiring access with refresh at the backend.
- Scope by role: follow least privilege; align OAuth scopes to user capabilities.
- Rotation & revocation: plan periodic rotation; support immediate revoke on incident.
- Server-side encryption: encrypt at rest; restrict access via KMS/roles.
Don’ts
- No API keys in code: never hard-code secrets in bundles, manifests, or options.
- No long-term refresh in client: keep refresh at the backend; issue short access tokens.
- No secrets in telemetry: scrub logs, traces, and crash reports.
Incident plan
- Key rotation runbook: automate rotation; test regularly.
- Revoke & notify: disable compromised tokens/clients; inform stakeholders.
- Patch & hotfix timeline: ship minimal changes; follow with hardening and post-mortem.