Implement security best practices for Customer.io integrations including credential management, PII handling, webhook verification, and GDPR compliance.
Use a secrets manager (GCP Secret Manager, AWS Secrets Manager) instead of environment variables for production credentials.
Hash sensitive identifiers with SHA-256 before sending. Sanitize user attributes to remove highly sensitive fields (SSN, credit card) and optionally hash PII fields (phone, address).
Establish a 90-day rotation schedule. Automate through secrets manager where possible with zero-downtime rotation procedures.
Verify Customer.io webhook signatures using HMAC-SHA256 with crypto.timingSafeEqual. Create Express middleware for automatic verification.
Define role-based permissions (admin, editor, viewer) and enable audit logging for security-sensitive operations.
Implement user suppression and deletion for GDPR/CCPA compliance. Create anonymization functions for historical analytics data.
For detailed implementation code and configurations, load the reference guide:
Read(${CLAUDE_SKILL_DIR}/references/implementation-guide.md)
| Issue | Solution |
|---|---|
| Exposed credentials | Rotate immediately, audit access |
| PII leak | Delete from Customer.io, notify DPO |
| Unauthorized access | Review access logs, revoke access |
After implementing security, proceed to customerio-prod-checklist for production readiness.
See security implementation details for output format specifications.
Basic usage: Apply customerio security basics to a standard project setup with default configuration options.
Advanced scenario: Customize customerio security basics for production environments with multiple constraints and team-specific requirements.
