Setting a secure foundation: a primer
Asta Li
|Jan 29, 2024
Securing your users data and their digital assets is our top priority at Privy. To that end, we’ve written our secure app setup guide, which details our list of recommendations to keep your app and your users’ assets as secure as possible. This guide reflects industry best practices as well as lessons learned from collaborating with many of the most thoughtful teams in the market, like Friendtech, OpenSea, and Zora. Here’s a quick peek.
Setting a secure foundation
Our guide recommends four foundational focus areas for your integration:
Configuring secure settings in the Privy dashboard: Privy offers a number of features to help you secure your app through the user’s lifecycle. Some of these features should be enabled for all applications before they launch, this includes:
Http-only cookies
Restricting login methods to those you use
On top of this, we offer features like MFA for embedded wallet actions and password-based recovery that you should have your users enable if your app deals with high value assets.
Ensuring your app’s front-end is secure: There are several security best practices to ensure that only the code you intend (and nothing malicious) runs in the client. At a minimum, we recommend that you use TLS and HTTPS to serve all requests. Beyond this, you should limit the scope of what Javascript can be run on your site, ensuring you set context headers properly, and enforcing a strict content security policy (CSP).
Protecting your developer credentials: It’s important to protect your credentials to avoid unauthorized access to your developer account, notably via managing admin access and storing your app secret securely.
Educate your users about security: This may be the toughest recommendation yet but helping your users understand and recognize threats is within your power. Let your users know the range of interactions they can expect from your app and the ways you will communicate with them. This includes telling them in email footers and on your site that you will never reach out to ask them for private information; this includes having consistent UIs and patterns around sensitive actions so departure from these standards will tip them that something is afoot, as well as linking to good resources around web security in an FAQ on your site. Let them know what to expect so they aren’t caught unaware.
Check out the full guide to see our list of baseline setup recommendations on each of these fronts.
Where we go from here
Security is a full team sport and we are here to help. In the coming weeks we’ll be releasing an updated Privy dashboard to help you set best practices in motion as you launch your app!
If there are additional security measures you’d like to see us recommend to our customers, please reach out at [email protected] to let us know.
Privy operates in a rapidly evolving threat landscape, and our security work is continuous. You can read up more on our blog as well, for instance in this series on wallets and security:
