Skip to content

Trick or treat? Security tips for developers

| Jon McLaren Jon McLaren

It's October, and every marketer out there is chiming in about things being spooky. It's all in good fun, but that said, there are things worth being a little scared of, like ensuring you keep your clients, yourself, and your company safe. Hacker on Halloween

It's Cyber Security Awareness Month in the United States. Let's talk about what that means for you as a developer. Everything from your workflow to your email inbox matters when it comes to keeping your app, HubSpot account, and websites secure. While we'll point out HubSpot specifics to help you out, the ideas here apply to all web platforms and the recommendations certainly expand beyond HubSpot itself.

Security Tips for developers

  • Personal Access keys, Private app scopes, Public app scopes - Follow the principle of least privilege: Make sure to only include scopes for features you're actually interacting with. You can always add scopes over time as your usage or functionality expands.
  • Rotate your Private App keys. HubSpot will remind you to rotate your Private App keys after 180 days.
  • Clean up old private apps you're not going to use again. Example: You did a migration or imported a bunch of data one-time from another system and won't need to do that again.
  • Never commit private app tokens or personal access keys to a git repository. Use the built-in secrets management capabilities in your git repository platform of choice. 
  • API keys included in JavaScript files and HTML should be considered public. There are services that work in this way and let you restrict usage by domain, but overall it's best not to ever include API keys in your front end. Use serverless functions to keep secrets secret.
  • Carefully select and limit dependencies. It's not always possible to keep dependencies to a minimum since often dependencies have their own dependencies, but by keeping to only what you really need, you avoid introducing potential supply chain attacks.
  • Subscribe to the HubSpot Developer Changelog. If HubSpot makes a security related change to an API you may need to make an update quickly.
  • If using externally hosted scripts on your site use Subresource Integrity (SRI) to ensure files have not been tampered with. Consider self-hosting a copy of the file as the performance benefits for multiple sites using the same CDN resource are gone in 2024.
  • Familiarize yourself with HubSpot's Security Program to understand what HubSpot does for you.

Never trust user/site visitor submitted data.

This applies primarily to apps and websites that have a front-end for folks to interact with.

  • Implement a Content Security Policy to prevent XSS attacks by controlling which resources can be loaded and executed.
  • Implement security headers. X-content-type-options, x-frame-options, x-xss-protection.
  • Ensure you never expose sensitive information in HTML comments or the console through console.log as well as errors. Additionally the same applies to serverless functions.
  • Use HubL filters to escape user submitted content that you display in web pages. As well as sanitize the HTML from rich text fields, HubDB and other rich text sources if that data is or possibly will be from site visitors. This mostly just applies if you have serverless functions that update these data sources in response to submitted data.
  • Do not directly print query parameters to your page. Instead, have predefined values you look for to print text on the page.
  • If a site visitor submits a link in a form, pause a moment and verify if that domain name is actually spelled correctly and is to a legitimate website you know of. 

Personal security

Remember your personal security habits are a factor in the security of the accounts and apps you work in and manage. 

  • Use Multi-factor Authentication on your user accounts. While your HubSpot account is included, this also includes your version control platform, your email account, and other tools you use to manage your work. Remember you likely have more privileges than most users making you a bigger target.
  • Use a password manager. Password managers can help you to create unique lengthy and complex passwords and store them so you don't need to remember them. Avoid reusing passwords. Consider using passkeys instead of or in-addition to passwords for platforms that support it.
  • Keep your development tools, your web browser, and your operating system up-to-date.
  • Be selective in what browser extensions you install - Developer extensions often require full access to everything on the current page or on all pages. Limiting the extensions installed or setting their permissions to be based on the page or on Click can prevent leaks and malicious acts.
  • Use a VPN on public networks (airports, coffee shops, etc).
  • Ensure your computer and phone lock themselves after a period of inactivity.
  • Truly know and respect the fact that no one is immune to phishing, even you. While general attempts to phish may be obvious, spear phishing or targeted attacks are becoming easier and easier for bad actors, even becoming as sophisticated as doing live deepfakes of executives. The more information a bad actor can find on you, your coworkers, and how your business operates, the more convincing they can be. Every skill on your LinkedIn profile, every certification, and your job experience information is public and can be used to identify what you work on and how best to target you.

Educate your team

Just like your personal security habits are a factor, you're likely one of multiple people working in an account.

  • Encourage other team members to use multi-factor authentication. 
  • Encourage setting user roles based on the principle of least privilege. You can always give someone more privileges later as their work expands. Discourage setting folks to Super Admin just because it's a fast way to get someone permissions they need in the moment. We actually just launched a developer permissions set which can really speed things up.
  • Educate the team about phishing and advocate for using tools that help to simulate phishing to help your team stay alert.

Lastly, if you ever discover any security issues in HubSpot software, report it to our bug bounty program so we can fix it and reward you. Thanks for reading, I hope after making some updates to follow some security best practices you'll be able to rest a little easier and leave the frights for the movies, corn mazes, and haunted houses. Learn more about HubSpot's Security Program.
Jon McLaren

At HubSpot Jon focuses on creating content to educate and enable developers to grow better. He loves talking website performance and digital accessibility. You can find him on LinkedIn and Twitter talking about new things happening in the web development sphere, and video games.