exa-security-basics

# Exa Security Basics ## Overview Security best practices for Exa API integrations. Exa authenticates via the `x-api-key` header. Key security concerns include API key protection, content moderation for search results, domain filtering to prevent exposure to malicious sources, and query sanitization. ## Prerequisites - Exa API key from dashboard.exa.ai - Understanding of environment variable management - `.gitignore` configured for secrets ## Instructions ### Step 1: API Key Management ```bash # .env (NEVER commit to git) EXA_API_KEY=your-api-key-here # .gitignore — add these entries .env .env.local .env.*.local ``` ```typescript // Validate API key exists before creating client import Exa from "exa-js"; function createSecureClient(): Exa { const apiKey = process.env.EXA_API_KEY; if (!apiKey) { throw new Error("EXA_API_KEY not configured"); } if (apiKey.startsWith("sk_") && apiKey.length < 20) { throw new Error("EXA_API_KEY appears malformed"); } return new Exa(apiKey); } ``` ### Step 2: Enable Content Moderation ```typescript const exa = new Exa(process.env.EXA_API_KEY); // Exa supports content moderation to filter unsafe results const results = await exa.searchAndContents( "user-provided search query", { numResults: 10, text: true, moderation: true, // filter unsafe content from results } ); ``` ### Step 3: Domain Filtering for Safety ```typescript // Restrict results to trusted domains for sensitive use cases const TRUSTED_D...