clade-security-basics

# Anthropic Security Basics ## Overview Securing a Claude integration means protecting your API key, validating inputs, defending against prompt injection, and handling user data responsibly. ## API Key Security ## Instructions ### Step 1: Never Expose Keys Client-Side ```typescript // BAD — key in browser JavaScript const client = new Anthropic({ apiKey: 'sk-ant-...' }); // EXPOSED TO USERS // GOOD — key only on server // api/chat.ts (server-side only) const client = new Anthropic(); // reads from env ``` ### Step 2: Environment Variables ```bash # .env (local dev — never commit) ANTHROPIC_API_KEY=sk-ant-api03-... # .gitignore .env .env.local .env.production ``` ### Step 3: Rotate Keys Regularly - Console → Settings → API Keys → Create New Key - Update all deployments with new key - Delete old key only after all deployments are updated ## Input Validation ```typescript // Validate user input before sending to Claude function validateInput(userMessage: string): string { // Limit length to prevent cost attacks if (userMessage.length > 10_000) { throw new Error('Message too long (max 10,000 characters)'); } // Strip potential PII if not needed // const sanitized = redactEmails(redactPhones(userMessage)); return userMessage; } ``` ## Prompt Injection Defense ```typescript const message = await client.messages.create({ model: 'claude-sonnet-4-20250514', max_tokens: 1024, system: `You are a customer support bot for Acme Corp. IMPORTANT: Only answe...