From brightdata-pack
Apply Bright Data security best practices for secrets and access control. Use when securing API keys, implementing least privilege access, or auditing Bright Data security configuration. Trigger with phrases like "brightdata security", "brightdata secrets", "secure brightdata", "brightdata API key security".
How this skill is triggered — by the user, by Claude, or both
Slash command
/brightdata-pack:brightdata-security-basicsThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Security best practices for Bright Data zone credentials, API tokens, and webhook delivery. Bright Data credentials include Customer ID, zone passwords, and API tokens — all must be protected.
Security best practices for Bright Data zone credentials, API tokens, and webhook delivery. Bright Data credentials include Customer ID, zone passwords, and API tokens — all must be protected.
| Credential | Scope | Rotation | Storage |
|---|---|---|---|
| Customer ID | Account-wide | Never changes | Can be in config |
| Zone Password | Per-zone | Rotate quarterly | Secrets vault only |
| API Token | Account-wide | Rotate quarterly | Secrets vault only |
SSL Cert (brd-ca.crt) | Public | Auto-renewed | Can be in repo |
# .env (NEVER commit)
BRIGHTDATA_CUSTOMER_ID=c_abc123
BRIGHTDATA_ZONE=web_unlocker1
BRIGHTDATA_ZONE_PASSWORD=z_pass_xyz
BRIGHTDATA_API_TOKEN=abc123def456
# .gitignore
.env
.env.local
.env.*.local
# .env.example (safe to commit — no real values)
BRIGHTDATA_CUSTOMER_ID=
BRIGHTDATA_ZONE=
BRIGHTDATA_ZONE_PASSWORD=
BRIGHTDATA_API_TOKEN=
Create separate zones per environment so staging credentials cannot access production proxy bandwidth:
// config/brightdata.ts
const ZONE_MAP = {
development: 'web_unlocker_dev',
staging: 'web_unlocker_staging',
production: 'web_unlocker_prod',
} as const;
export function getZone(): string {
const env = process.env.NODE_ENV || 'development';
return process.env.BRIGHTDATA_ZONE || ZONE_MAP[env] || ZONE_MAP.development;
}
# 1. Create new API token in Bright Data CP > Settings > API tokens
# 2. Update secrets in your deployment platform
# Vercel
vercel env rm BRIGHTDATA_API_TOKEN production
vercel env add BRIGHTDATA_API_TOKEN production
# AWS
aws secretsmanager update-secret --secret-id brightdata/api-token --secret-string "new_token"
# 3. Test new credentials
curl -H "Authorization: Bearer ${NEW_TOKEN}" \
https://api.brightdata.com/zone/get_active_zones
# 4. Revoke old token in Bright Data CP
# Pre-commit hook to catch leaked credentials
# .git/hooks/pre-commit
#!/bin/bash
if git diff --cached | grep -iE '(BRIGHTDATA_ZONE_PASSWORD|BRIGHTDATA_API_TOKEN)=.{5,}'; then
echo "ERROR: Bright Data credentials detected in staged changes"
exit 1
fi
When using webhook delivery for Web Scraper API results:
// Validate webhook came from Bright Data
function validateWebhookSource(req: Request): boolean {
// Bright Data sends from known IPs — check docs for current list
// Also validate the Authorization header you configured
const authHeader = req.headers.get('Authorization');
return authHeader === `Bearer ${process.env.BRIGHTDATA_WEBHOOK_SECRET}`;
}
.env files in .gitignorebrd-ca.crt downloaded (public cert, safe in repo)| Issue | Detection | Mitigation |
|---|---|---|
| Leaked zone password | Git scanning, log monitoring | Rotate immediately in CP |
| Leaked API token | Secret scanning | Revoke in CP, create new token |
| Unauthorized zone usage | Billing alerts | Check zone activity logs |
| Proxy abuse | Unusual bandwidth spikes | Review zone usage in CP |
For production deployment, see brightdata-prod-checklist.
2plugins reuse this skill
First indexed Jul 18, 2026
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin brightdata-packInstalls and configures Bright Data proxy credentials, SSL certificates, and API tokens for web scraping. Useful for setting up authentication with Node.js or Python.
Generates working proxy code for Bright Data's datacenter, ISP, residential, and mobile networks. Handles URL format, targeting, SSL setup, and Python/Node/browser framework integration.
Guides reception of code review feedback: verify before implementing, avoid performative agreement, push back with technical reasoning when needed.