Prompt
Always identify and properly protect sensitive data fields in your code. Sensitive information includes IP addresses, API keys, authentication tokens, personal identification data, and high-privilege credentials.
Key practices:
- Remove unnecessary sensitive fields from storage (like IP addresses in usage records)
- Encrypt sensitive user data before database storage (API keys, tokens)
- Be aware of sensitive data in external payloads (webhooks, API responses)
- Avoid storing high-privilege credentials like accessKey/accessSecret in plaintext
- Treat personal data (ID cards, phone numbers) as highly confidential
Example of proper sensitive data handling:
// Bad: Storing IP address unnecessarily
export const usageRecords = pgTable('usage_records', {
ipAddress: text('ip_address'), // Remove this sensitive field
});
// Good: Encrypt sensitive user data
const encryptedKeyVaults = encrypt(userKeyVaults); // Encrypt API keys before storage
// Good: Be cautious with webhook data containing sensitive fields
const parsed = JSON.parse(payloadString) as CasdoorWebhookPayload;
// Be aware this may contain accessKey, accessSecret, idCard, etc.
Always ask: “Does this field contain sensitive information?” and “How can I minimize exposure while maintaining functionality?”