Juicebox安全最佳实践指南

v20260423

juicebox-security-basics

本指南提供了与Juicebox API集成时的全方位安全最佳实践。它涵盖了关键领域，包括安全的API密钥管理（使用密钥管理器）、健壮的Webhook签名验证、使用Schema进行输入数据校验，以及个人身份信息（PII）脱敏处理等数据保护技术。旨在确保在处理敏感人员和联系数据时符合GDPR和CCPA等全球隐私法规要求。

安全 API TypeScript 数据隐私合规 Webhook PII Juicebox

获取技能

289 次下载

概览

Juicebox Security Basics

Overview

Juicebox provides AI-powered people search and analysis, processing datasets containing professional profiles, contact enrichment data, and query results. Security concerns include API key protection, GDPR/CCPA compliance for candidate and contact data, data retention policy enforcement, and ensuring enriched contact information (emails, phone numbers) is not leaked through logs or unencrypted storage. A compromised API key grants access to people search and enrichment capabilities.

API Key Management

function createJuiceboxClient(): { apiKey: string; baseUrl: string } {
  const apiKey = process.env.JUICEBOX_API_KEY;
  if (!apiKey) {
    throw new Error("Missing JUICEBOX_API_KEY — store in secrets manager, never in code");
  }
  // Juicebox keys access people data — treat as PII-adjacent
  console.log("Juicebox client initialized (key suffix:", apiKey.slice(-4), ")");
  return { apiKey, baseUrl: "https://api.juicebox.ai/v1" };
}

Webhook Signature Verification

import crypto from "crypto";
import { Request, Response, NextFunction } from "express";

function verifyJuiceboxWebhook(req: Request, res: Response, next: NextFunction): void {
  const signature = req.headers["x-juicebox-signature"] as string;
  const secret = process.env.JUICEBOX_WEBHOOK_SECRET!;
  const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex");
  if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
    res.status(401).send("Invalid signature");
    return;
  }
  next();
}

Input Validation

import { z } from "zod";

const PeopleSearchSchema = z.object({
  query: z.string().min(1).max(500),
  filters: z.object({
    location: z.string().optional(),
    company: z.string().optional(),
    title: z.string().optional(),
    industry: z.string().optional(),
  }).optional(),
  max_results: z.number().int().min(1).max(100).default(25),
  enrich_contacts: z.boolean().default(false),
});

function validateSearchQuery(data: unknown) {
  return PeopleSearchSchema.parse(data);
}

Data Protection

const JUICEBOX_PII_FIELDS = ["personal_email", "phone_number", "social_profiles", "home_address", "enrichment_data"];

function redactJuiceboxLog(record: Record<string, unknown>): Record<string, unknown> {
  const redacted = { ...record };
  for (const field of JUICEBOX_PII_FIELDS) {
    if (field in redacted) redacted[field] = "[REDACTED]";
  }
  return redacted;
}

Security Checklist

API keys stored in secrets manager, separate keys per environment
Enriched contact data encrypted at rest
GDPR consent documented for EU candidate data
CCPA opt-out mechanism implemented for California residents
Data retention policy enforced (auto-delete after defined period)
Contact enrichment results never logged in plaintext
Search queries redacted in application logs
Pre-commit hook blocks jb_live_* credential patterns

Error Handling

Vulnerability	Risk	Mitigation
Leaked API key	Unauthorized people search and enrichment	Secrets manager + key rotation
Contact data in logs	PII exposure violating GDPR/CCPA	Field-level redaction pipeline
Missing data retention	Stale candidate data accumulates	Automated retention enforcement
Enrichment without consent	Privacy regulation violation	Consent gate before enrichment calls
Unencrypted contact storage	Bulk PII breach from database leak	Encryption at rest + access controls

Resources

Next Steps

See juicebox-prod-checklist.

信息

Category 编程开发

Name juicebox-security-basics

版本 v20260423

大小 4.04KB

Source jeremylongshore/claude-code-plugins-plus-skills

更新时间 2026-04-28