Skip to content

Securing your integration

Privy is a powerful library that enables you to securely authenticate your users and provision self-custodial embedded wallets in order to create delightful user experiences. Privy protects your users’ accounts and wallets via secure account verification, session management, and Shamir secret sharing cryptography. See our architecture security documentation for more information.

Privy is integrated deeply into application environments, and your application provides the context in which users access their accounts. Accordingly, it is essential that you take steps to secure your product to protect your users.

Here is a guide to help you get started and configure your application securely. Beyond this, security is a comprehensive topic that touches every part of your stack.

TIP

At a high level, we recommend that you:

  • Configure your security settings in the Privy developer dashboard
  • Ensure your application’s frontend is secure
  • Protect your developer credentials
  • Educate your users about security

Configure security settings in the Privy Dashboard

Before you launch your app, we strongly recommend you enable these security settings in the Privy developer dashboard to protect to your users’ accounts:

Lock down your app frontend

Because your application frontend provides the context in which users access their accounts, it is an essential environment to keep secure. Follow client-side security best practices, including limiting what is able to inject Javascript into your site. You should make sure only the code you intend runs in your app.

  • Use TLS and HTTPS to serve your web pages.
  • Avoid open redirects in your app. If your app must have them or you are unsure if it does, we recommend specifying an allowed OAuth redirect URL to help mitigate redirect-based attacks.
  • Ensure you have content headers set correctly on your site. Set the X-Frame-Options header to none on your root domain to ensure that your content cannot be embedded into a malicious site.
  • Ensure your application has a strict Content Security Policy (CSP).
  • Ensure that your application has protections against XSS attacks.
  • Review your application's third-party Javascript dependencies.

Beyond this, it is critical you secure your domain. For instance, set 2FA on your DNS provider account, and ensure your DNS is configured correctly.

Protect your developer credentials

Your developer login credentials can be used to configure your application with the Privy dashboard. It’s important to protect your credentials to avoid unauthorized access to your developer account.

Your app secret can be used to manage and query the users that have signed up in your app. Store your app secret securely, e.g. via a secrets manager. We will never reveal your app secret in your developer dashboard beyond the first time the secret is generated.

Educate your users about security

Your users also share in responsibility for their account security. Phishing is the biggest source of risk affecting end users.

Let your users know you will never ask them for credentials, help them avoid untrusted bookmarklets and extensions, ensure they are only interacting with your intended domains, and create clear expectations about how your product will prompt them to interact.