I’m at a point where the panel is talking to the EBS (and EBS to third-party APIs). Now I want to double-check for security holes. Are there additional steps besides:
- Panel sends “Authorization: Bearer token” in requests to EBS
- EBS verifies request header for “Authorization: Bearer token”
- EBS provides CORS header “Access-Control-Allow-Origin: ID.ext-twitch.tv”
- EBS hosted service (Netlify) uses HTTPS
- EBS configuration are Netlify environment variables
- EBS key/value store is on Fauna DB and only holds broadcaster channel ID and Pavlok API token
- panel uses Twitch configuration service only to store a toggle value (‘broadcaster’ / ‘public’)
Appreciate any recommendations, thanks.