Auth Security Best Practices

Always use HTTPS in production - Required for secure cookies (__Secure- and __Host- prefixes)
Keep secrets secure - Use Cloudflare Workers secrets or environment variables, never commit to git
Rotate secrets regularly - Change AUTH_SECRET and API_HASH_SECRET periodically
Use minimum required scopes - Grant API keys only the permissions they need
Monitor authentication logs - Enable audit logging to track authentication events

Use Zero Trust Policies - Implement granular access policies based on user identity
Enable session recording (optional) - Track user activities for security auditing
Configure session duration - Balance security and user experience
Use email verification - Require verified email addresses for access
Enable MFA - Require multi-factor authentication for sensitive operations

Use strong AUTH_SECRET - Minimum 32 bytes of entropy (use openssl rand -base64 32)
Protect OAuth secrets - Store GITHUB_OAUTH_CLIENT_SECRET as Workers secret
Configure OAuth scopes - Request only required GitHub scopes
Set appropriate session maxAge - Default is 7 days, adjust based on security requirements
Use production cookie prefixes - __Secure- prefix requires HTTPS

Set expiration dates - API keys should have limited lifetimes
Use IP whitelisting - Restrict API key usage to known IP addresses
Rotate keys regularly - Replace API keys periodically, especially after team changes
Delete unused keys - Remove API keys that are no longer needed
Monitor key usage - Track last_used_at timestamps to identify inactive keys

Auth Security Best Practices ​