From hex-pack
Apply Hex security best practices for secrets and access control. Use when securing API keys, implementing least privilege access, or auditing Hex security configuration. Trigger with phrases like "hex security", "hex secrets", "secure hex", "hex API key security".
npx claudepluginhub flight505/skill-forge --plugin hex-packThis skill is limited to using the following tools:
Hex is a collaborative data analytics platform where notebooks query production databases, generate visualizations, and share results across teams. Security concerns center on API token management (read vs run scopes), protecting database connection credentials embedded in Hex projects, and ensuring query results containing sensitive business data are not leaked through logs or exports. A compr...
Guides Next.js Cache Components and Partial Prerendering (PPR): 'use cache' directives, cacheLife(), cacheTag(), revalidateTag() for caching, invalidation, static/dynamic optimization. Auto-activates on cacheComponents: true.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Share bugs, ideas, or general feedback.
Hex is a collaborative data analytics platform where notebooks query production databases, generate visualizations, and share results across teams. Security concerns center on API token management (read vs run scopes), protecting database connection credentials embedded in Hex projects, and ensuring query results containing sensitive business data are not leaked through logs or exports. A compromised run-scope token can trigger arbitrary queries against connected databases.
function createHexClient(scope: "read" | "run"): { token: string; baseUrl: string } {
const envVar = scope === "run" ? "HEX_RUN_TOKEN" : "HEX_READ_TOKEN";
const token = process.env[envVar];
if (!token) {
throw new Error(`Missing ${envVar} — store in secrets manager, never in code`);
}
// Run tokens can trigger queries — use read tokens for monitoring
console.log(`Hex client initialized with ${scope} scope (token suffix: ${token.slice(-4)})`);
return { token, baseUrl: "https://app.hex.tech/api/v1" };
}
import crypto from "crypto";
import { Request, Response, NextFunction } from "express";
function verifyHexWebhook(req: Request, res: Response, next: NextFunction): void {
const signature = req.headers["x-hex-signature"] as string;
const secret = process.env.HEX_WEBHOOK_SECRET!;
const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex");
if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
res.status(401).send("Invalid signature");
return;
}
next();
}
import { z } from "zod";
const HexRunRequestSchema = z.object({
project_id: z.string().uuid(),
input_params: z.record(z.string(), z.unknown()).optional(),
notify_on_completion: z.boolean().default(false),
update_cache: z.boolean().default(false),
});
function validateHexRunRequest(data: unknown) {
return HexRunRequestSchema.parse(data);
}
const HEX_SENSITIVE_FIELDS = ["db_connection_string", "query_results", "api_token", "input_params", "export_url"];
function redactHexLog(record: Record<string, unknown>): Record<string, unknown> {
const redacted = { ...record };
for (const field of HEX_SENSITIVE_FIELDS) {
if (field in redacted) redacted[field] = "[REDACTED]";
}
return redacted;
}
hex_token_* patterns| Vulnerability | Risk | Mitigation |
|---|---|---|
| Leaked run-scope token | Arbitrary queries against production databases | Secrets vault + least-privilege scoping |
| Database credentials in notebooks | Connection strings exposed to all collaborators | Hex workspace-managed connections |
| Query results in logs | Sensitive business data leaked | Field-level redaction pipeline |
| Overly broad notebook sharing | Confidential analytics visible to wrong teams | Per-notebook permission scoping |
| No token expiration | Indefinite access from compromised token | 90-day expiration policy |
See hex-prod-checklist.