Security checklist for extension to EBS

I’m at a point where the panel is talking to the EBS (and EBS to third-party APIs). Now I want to double-check for security holes. Are there additional steps besides:

  • Panel sends “Authorization: Bearer token” in requests to EBS
  • EBS verifies request header for “Authorization: Bearer token”
  • EBS provides CORS header “Access-Control-Allow-Origin:
  • EBS hosted service (Netlify) uses HTTPS
  • EBS configuration are Netlify environment variables
  • EBS key/value store is on Fauna DB and only holds broadcaster channel ID and Pavlok API token
  • panel uses Twitch configuration service only to store a toggle value (‘broadcaster’ / ‘public’)

Appreciate any recommendations, thanks.

Sounds good to me.

And is similar to what I do on some of my extensions.

1 Like