Appearance

Securing your integration

Privy is a powerful library that enables you to securely authenticate your users and provision self-custodial embedded wallets in order to create delightful user experiences. Privy protects your users’ accounts and wallets via secure account verification, session management, and Shamir secret sharing cryptography. See our architecture security documentation for more information.

Privy is integrated deeply into application environments, and your application provides the context in which users access their accounts. Accordingly, it is essential that you take steps to secure your product to protect your users.

Here is a guide to help you get started and configure your application securely. Beyond this, security is a comprehensive topic that touches every part of your stack.

TIP

At a high level, we recommend that you:

  • Configure your security settings in the Privy developer dashboard
  • Ensure your application’s frontend is secure
  • Protect your developer credentials
  • Educate your users about security

Configure security settings in the Privy Dashboard

Before you launch your app, we strongly recommend you enable these security settings in the Privy developer dashboard to protect to your users’ accounts:

  • Restrict your allowed domains by adding your domain in the Domains page.
  • Limit allowed methods for your app in the Login Methods page to only those you use for login or linking.
  • If your app is browser-based, enable a base domain in the Domains page to set HttpOnly cookies, which helps further protect your user's Privy tokens from XSS and related attacks.
  • If your app deals with high-value assets, enable multi-factor authentication for wallet actions and require that users set it up.

Lock down your app frontend

Because your application frontend provides the context in which users access their accounts, it is an essential environment to keep secure. Follow client-side security best practices, including limiting what is able to inject Javascript into your site. You should make sure only the code you intend runs in your app.

  • Use TLS and HTTPS to serve your web pages.
  • Ensure you do not have open redirects.
  • Ensure you have content headers set correctly on your site. Set the X-Frame-Options header to none on your root domain to ensure that your content cannot be embedded into a malicious site.
  • Ensure your application has a strict Content Security Policy (CSP).
  • Ensure that your application has protections against XSS attacks.
  • Review your application's third-party Javascript dependencies.

Protect your developer credentials

Your developer login credentials can be used to configure your application with the Privy dashboard. It’s important to protect your credentials to avoid unauthorized access to your developer account.

Your app secret can be used to manage and query the users that have signed up in your app. Store your app secret securely, e.g. via a secrets manager. We will never reveal your app secret in your developer dashboard beyond the first time the secret is generated.

Educate your users about security

Your users also share in responsibility for their account security. Phishing is the biggest source of risk affecting end users.

Let your users know you will never ask them for credentials, help them avoid untrusted bookmarklets and extensions, ensure they are only interacting with your intended domains, and create clear expectations about how your product will prompt them to interact.