fondo-security-basics

# Fondo Security Basics ## Overview Fondo handles startup tax preparation, bookkeeping, and R&D tax credits containing SSNs, EINs, bank account details, revenue figures, and complete tax returns. A breach exposes founder personal tax data, company financials, and IRS filing details. Protect OAuth connections to banking/payroll systems, exported financial documents, and team access controls with the same rigor as a CPA firm. ## API Key Management ```typescript function createFondoClient(): { apiKey: string; baseUrl: string } { const apiKey = process.env.FONDO_API_KEY; if (!apiKey) { throw new Error("Missing FONDO_API_KEY — store in secrets manager, never in code"); } // Fondo keys access tax returns and SSN/EIN data — treat as highest sensitivity console.log("Fondo client initialized (key suffix:", apiKey.slice(-4), ")"); return { apiKey, baseUrl: "https://api.fondo.com/v1" }; } ``` ## Webhook Signature Verification ```typescript import crypto from "crypto"; import { Request, Response, NextFunction } from "express"; function verifyFondoWebhook(req: Request, res: Response, next: NextFunction): void { const signature = req.headers["x-fondo-signature"] as string; const secret = process.env.FONDO_WEBHOOK_SECRET!; const expected = crypto.createHmac("sha256", secret).update(req.body).digest("hex"); if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) { res.status(401).send("Invalid signature"); return; } ne...