🛡️ 测试与安全

firecrawl-security-basics

实现 API 密钥的安全存储与访问控制,通过环境变量管理敏感信息并防止泄露,支持密钥轮换和最小权限原则配置,结合审计日志记录关键操作,确保开发、测试与生产环境的独立性与安全性。

快捷安装

在终端运行此命令,即可一键安装该 Skill 到您的 Claude 中

npx skills add jeremylongshore/claude-code-plugins-plus-skills --skill "firecrawl-security-basics"

Firecrawl Security Basics

Overview

Security best practices for Firecrawl API keys, webhook signature verification, and scraped content handling. Firecrawl API keys start with fc- and grant full access to scrape, crawl, map, and extract endpoints — protecting them is critical.

Prerequisites

  • Firecrawl API key
  • Understanding of environment variables
  • Webhook endpoint (if using async crawl callbacks)

Instructions

Step 1: Secure API Key Storage

# .env (NEVER commit to git)
FIRECRAWL_API_KEY=fc-your-api-key-here

# .gitignore — add these patterns
echo -e "\n.env\n.env.local\n.env.*.local" >> .gitignore
// Validate key exists before creating client
import FirecrawlApp from "@mendable/firecrawl-js";

if (!process.env.FIRECRAWL_API_KEY?.startsWith("fc-")) {
  throw new Error("FIRECRAWL_API_KEY must be set and start with 'fc-'");
}

const firecrawl = new FirecrawlApp({
  apiKey: process.env.FIRECRAWL_API_KEY,
});

Step 2: Verify Webhook Signatures

Firecrawl signs webhook payloads with HMAC-SHA256 via the X-Firecrawl-Signature header.

import crypto from "crypto";

function verifyWebhookSignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expected = crypto
    .createHmac("sha256", secret)
    .update(payload)
    .digest("hex");

  // Timing-safe comparison prevents timing attacks
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

// Express webhook handler with verification
app.post("/webhooks/firecrawl", (req, res) => {
  const signature = req.headers["x-firecrawl-signature"] as string;
  const rawBody = JSON.stringify(req.body);

  if (!verifyWebhookSignature(rawBody, signature, process.env.FIRECRAWL_WEBHOOK_SECRET!)) {
    console.error("Invalid webhook signature — rejecting");
    return res.status(401).json({ error: "Invalid signature" });
  }

  // Process verified webhook
  const { type, data } = req.body;
  console.log(`Verified webhook: ${type}`);
  res.status(200).json({ received: true });
});

Step 3: Separate Keys per Environment

# GitHub Actions secrets
gh secret set FIRECRAWL_API_KEY_DEV --body "fc-dev-..."
gh secret set FIRECRAWL_API_KEY_STAGING --body "fc-staging-..."
gh secret set FIRECRAWL_API_KEY_PROD --body "fc-prod-..."
// Load correct key based on environment
const KEY_MAP: Record<string, string> = {
  development: "FIRECRAWL_API_KEY_DEV",
  staging: "FIRECRAWL_API_KEY_STAGING",
  production: "FIRECRAWL_API_KEY_PROD",
};

const envVar = KEY_MAP[process.env.NODE_ENV || "development"];
const apiKey = process.env[envVar] || process.env.FIRECRAWL_API_KEY;

Step 4: Rotate Keys

set -euo pipefail
# 1. Generate new key at firecrawl.dev/app
# 2. Deploy new key alongside old key
# 3. Verify new key works
curl -s https://api.firecrawl.dev/v1/scrape \
  -H "Authorization: Bearer $NEW_FIRECRAWL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url":"https://example.com","formats":["markdown"]}' | jq .success

# 4. Remove old key from all environments
# 5. Delete old key in Firecrawl dashboard

Step 5: Sanitize Scraped Content

// Scraped web content may contain PII, scripts, or malicious data
function sanitizeScrapedContent(markdown: string): string {
  return markdown
    // Remove potential script injections
    .replace(/<script[\s\S]*?<\/script>/gi, "")
    // Remove data URIs (potential XSS vectors)
    .replace(/!\[.*?\]\(data:.*?\)/g, "")
    // Remove javascript: links
    .replace(/\[.*?\]\(javascript:.*?\)/g, "")
    // Strip HTML comments
    .replace(/<!--[\s\S]*?-->/g, "")
    .trim();
}

Security Checklist

  • API key stored in environment variable, never hardcoded
  • .env files listed in .gitignore
  • Different keys for dev/staging/production
  • Webhook signatures verified before processing
  • Scraped content sanitized before storage/display
  • Key rotation scheduled quarterly
  • Git history scanned for leaked keys

Error Handling

Security IssueDetectionMitigation
Leaked API key in gitgit log -p | grep "fc-"Rotate immediately, revoke old key
Invalid webhook signatureSignature verification failsReject request, alert team
Excessive scraping costsCredit alerts from FirecrawlSet credit limits per key
PII in scraped contentContent scanningSanitize before storage

Resources

Next Steps

For production deployment, see firecrawl-prod-checklist.

🔗 相关技巧

superpowers-workflow

遵循结构化流程处理开发任务,涵盖需求澄清、分步规划、测试优先的实现、代码审查与验证总结,适用于功能开发、调试、重构及自动化设计等场景,根据变更风险动态调整流程严格度。

webapp-testing

提供对本地 Web 应用的端到端测试能力,支持启动服务、自动化交互、截图诊断、控制台日志捕获及动态 DOM 分析,适用于验证前端功能与调试 UI 行为。

pr-creator

自动化创建符合规范的拉取请求,涵盖分支切换、模板识别与填充、预检验证及标准化提交,确保代码审查流程的合规性与完整性。

java-python-code-reviewer

提供针对 Java与 Python 代码的深度评审,聚焦正确性、复杂度分析与实现质量。支持算法题解审查,识别边界条件遗漏与性能瓶颈,推荐数据结构优化策略,并对比双语言实现差异,在保证逻辑严谨的同时提升代码可读性与执行效率。