Documentation/Security/Best Practices

Security Best Practices

Guidelines for keeping your Sensei AI deployment secure.

API Key Security

Use environment variables
Never hardcode API keys in your code
Keep .env.local in .gitignore
Prevent accidental commits of secrets
Rotate keys regularly
Update keys every 90 days or after team changes
Use separate keys for dev/prod
Isolate environments to limit blast radius

Database Security

Use service role key only server-side
Never expose SUPABASE_SERVICE_ROLE_KEY to the browser
Enable Row Level Security (RLS)
Enforce data isolation at the database level
Validate client IDs
Always verify client exists before processing requests
Regular backups
Enable Supabase point-in-time recovery

Admin Dashboard Access

Limit access to trusted team members
Only share admin URL with authorized personnel
Consider adding authentication
For production, add Supabase Auth or similar
Use HTTPS only
Vercel provides SSL by default

Widget Security

Client IDs are not secrets
They're visible in embed code - that's OK
Chatbot only returns public info
Knowledge base should only contain public content
Rate limiting (future)
Consider adding rate limits to prevent abuse

Security Checklist:

☐ All API keys stored in environment variables
☐ .env.local is in .gitignore
☐ Service role key only used server-side
☐ Admin dashboard access restricted
☐ HTTPS enabled (automatic on Vercel)
☐ Database backups enabled