evernote-security-basics

# Evernote Security Basics ## Overview Security best practices for Evernote API integrations, covering credential management, OAuth hardening, token storage, data protection, and secure logging patterns. ## Prerequisites - Evernote SDK setup - Understanding of OAuth 1.0a - Basic cryptography concepts (AES encryption, hashing) ## Instructions ### Step 1: Credential Management Store `consumerKey`, `consumerSecret`, and access tokens in environment variables or a secrets manager (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault). Never commit credentials to source control. Add `.env` to `.gitignore`. ```javascript // Load from environment, fail fast if missing const requiredVars = ['EVERNOTE_CONSUMER_KEY', 'EVERNOTE_CONSUMER_SECRET']; for (const v of requiredVars) { if (!process.env[v]) throw new Error(`Missing required env var: ${v}`); } ``` ### Step 2: Secure OAuth Flow Add CSRF protection with a state parameter stored in the session. Validate the callback URL matches your registered domain. Use HTTPS-only for all OAuth endpoints. Set secure cookie flags for session tokens. ```javascript // Generate CSRF token for OAuth state const csrfToken = crypto.randomBytes(32).toString('hex'); req.session.oauthCsrf = csrfToken; // Verify on callback if (req.query.state !== req.session.oauthCsrf) { return res.status(403).send('CSRF validation failed'); } ``` ### Step 3: Encrypted Token Storage Encrypt access tokens at rest using AES-256-GCM before storing in your d...