From brightdata-pack
Secures Bright Data credentials with env vars, zone isolation per env, quarterly rotation via AWS/Vercel, and git secret scanning. For API key protection and least privilege.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin brightdata-packThis skill is limited to using the following tools:
Security best practices for Bright Data zone credentials, API tokens, and webhook delivery. Bright Data credentials include Customer ID, zone passwords, and API tokens — all must be protected.
Configures Bright Data proxy credentials, API tokens, SSL certificates, and verifies connections for Node.js/Python web scraping projects.
Onboards coding agents to Bright Data for live web scraping, SERP results, structured data extraction, and API integration. Installs CLI, skills, and handles OAuth authentication with one command.
Discovers, classifies, protects, and governs API keys, tokens, secrets across code, git history, CI/CD, containers, VPS, logs; enforces least privilege, rotation, zero-exposure for providers like OpenAI, AWS, GCP.
Share bugs, ideas, or general feedback.
Security best practices for Bright Data zone credentials, API tokens, and webhook delivery. Bright Data credentials include Customer ID, zone passwords, and API tokens — all must be protected.
| Credential | Scope | Rotation | Storage |
|---|---|---|---|
| Customer ID | Account-wide | Never changes | Can be in config |
| Zone Password | Per-zone | Rotate quarterly | Secrets vault only |
| API Token | Account-wide | Rotate quarterly | Secrets vault only |
SSL Cert (brd-ca.crt) | Public | Auto-renewed | Can be in repo |
# .env (NEVER commit)
BRIGHTDATA_CUSTOMER_ID=c_abc123
BRIGHTDATA_ZONE=web_unlocker1
BRIGHTDATA_ZONE_PASSWORD=z_pass_xyz
BRIGHTDATA_API_TOKEN=abc123def456
# .gitignore
.env
.env.local
.env.*.local
# .env.example (safe to commit — no real values)
BRIGHTDATA_CUSTOMER_ID=
BRIGHTDATA_ZONE=
BRIGHTDATA_ZONE_PASSWORD=
BRIGHTDATA_API_TOKEN=
Create separate zones per environment so staging credentials cannot access production proxy bandwidth:
// config/brightdata.ts
const ZONE_MAP = {
development: 'web_unlocker_dev',
staging: 'web_unlocker_staging',
production: 'web_unlocker_prod',
} as const;
export function getZone(): string {
const env = process.env.NODE_ENV || 'development';
return process.env.BRIGHTDATA_ZONE || ZONE_MAP[env] || ZONE_MAP.development;
}
# 1. Create new API token in Bright Data CP > Settings > API tokens
# 2. Update secrets in your deployment platform
# Vercel
vercel env rm BRIGHTDATA_API_TOKEN production
vercel env add BRIGHTDATA_API_TOKEN production
# AWS
aws secretsmanager update-secret --secret-id brightdata/api-token --secret-string "new_token"
# 3. Test new credentials
curl -H "Authorization: Bearer ${NEW_TOKEN}" \
https://api.brightdata.com/zone/get_active_zones
# 4. Revoke old token in Bright Data CP
# Pre-commit hook to catch leaked credentials
# .git/hooks/pre-commit
#!/bin/bash
if git diff --cached | grep -iE '(BRIGHTDATA_ZONE_PASSWORD|BRIGHTDATA_API_TOKEN)=.{5,}'; then
echo "ERROR: Bright Data credentials detected in staged changes"
exit 1
fi
When using webhook delivery for Web Scraper API results:
// Validate webhook came from Bright Data
function validateWebhookSource(req: Request): boolean {
// Bright Data sends from known IPs — check docs for current list
// Also validate the Authorization header you configured
const authHeader = req.headers.get('Authorization');
return authHeader === `Bearer ${process.env.BRIGHTDATA_WEBHOOK_SECRET}`;
}
.env files in .gitignorebrd-ca.crt downloaded (public cert, safe in repo)| Issue | Detection | Mitigation |
|---|---|---|
| Leaked zone password | Git scanning, log monitoring | Rotate immediately in CP |
| Leaked API token | Secret scanning | Revoke in CP, create new token |
| Unauthorized zone usage | Billing alerts | Check zone activity logs |
| Proxy abuse | Unusual bandwidth spikes | Review zone usage in CP |
For production deployment, see brightdata-prod-checklist.