DocumentationSecurity Best Practices
Security Best Practices
Hardening your FusePlane configuration for production.
Securing your execution layer is critical. Here are the recommended configurations for production.
1. Strict CORS Policy
Never use `*` as an allowed origin in production. Explicitly list your front-end domains.
BAD: allowedOrigins: ["*"]
GOOD: allowedOrigins: ["https://myapp.com", "https://staging.myapp.com"]
2. Least Privilege Secrets
Create dedicated API keys for FusePlane with limited scopes. For example, if your endpoint only reads data, don't provide an admin key with write access.
3. Input Validation
Always validate `context.body` inside your endpoint before using it.
1import { z } from 'zod';23const schema = z.object({4 email: z.string().email()5});67export default FusePlaneEndpoint({8 async run({ body }) {9 const { email } = schema.parse(body); // Throws if invalid10 // ...11 }12});