firecrawl-security-basics

FireCrawl Security Basics

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "firecrawl-security-basics" with this command: npx skills add jeremylongshore/claude-code-plugins-plus-skills/jeremylongshore-claude-code-plugins-plus-skills-firecrawl-security-basics

FireCrawl Security Basics

Overview

Security best practices for FireCrawl API keys, tokens, and access control.

Prerequisites

  • FireCrawl SDK installed

  • Understanding of environment variables

  • Access to FireCrawl dashboard

Instructions

Step 1: Configure Environment Variables

.env (NEVER commit to git)

FIRECRAWL_API_KEY=sk_live_*** FIRECRAWL_SECRET=***

.gitignore

.env .env.local .env.*.local

Step 2: Implement Secret Rotation

set -euo pipefail

1. Generate new key in FireCrawl dashboard

2. Update environment variable

export FIRECRAWL_API_KEY="new_key_here"

3. Verify new key works

curl -H "Authorization: Bearer ${FIRECRAWL_API_KEY}"
https://api.firecrawl.com/health

4. Revoke old key in dashboard

Step 3: Apply Least Privilege

Environment Recommended Scopes

Development read:*

Staging read:*, write:limited

Production Only required scopes

Output

  • Secure API key storage

  • Environment-specific access controls

  • Audit logging enabled

Error Handling

Security Issue Detection Mitigation

Exposed API key Git scanning Rotate immediately

Excessive scopes Audit logs Reduce permissions

Missing rotation Key age check Schedule rotation

Examples

Service Account Pattern

const clients = { reader: new FireCrawlClient({ apiKey: process.env.FIRECRAWL_READ_KEY, }), writer: new FireCrawlClient({ apiKey: process.env.FIRECRAWL_WRITE_KEY, }), };

Webhook Signature Verification

import crypto from 'crypto';

function verifyWebhookSignature( payload: string, signature: string, secret: string ): boolean { const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex'); return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected)); }

Security Checklist

  • API keys in environment variables

  • .env files in .gitignore

  • Different keys for dev/staging/prod

  • Minimal scopes per environment

  • Webhook signatures validated

  • Audit logging enabled

Audit Logging

interface AuditEntry { timestamp: Date; action: string; userId: string; resource: string; result: 'success' | 'failure'; metadata?: Record<string, any>; }

async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> { const log: AuditEntry = { ...entry, timestamp: new Date() };

// Log to FireCrawl analytics await firecrawlClient.track('audit', log);

// Also log locally for compliance console.log('[AUDIT]', JSON.stringify(log)); }

// Usage await auditLog({ action: 'firecrawl.api.call', userId: currentUser.id, resource: '/v1/resource', result: 'success', });

Resources

  • FireCrawl Security Guide

  • FireCrawl API Scopes

Next Steps

For production deployment, see firecrawl-prod-checklist .

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

xss-vulnerability-scanner

No summary provided by upstream source.

Repository SourceNeeds Review
-44
jeremylongshore
Security

session-security-checker

No summary provided by upstream source.

Repository SourceNeeds Review
-41
jeremylongshore
Security

cookie-security-analyzer

No summary provided by upstream source.

Repository SourceNeeds Review
-41
jeremylongshore