home / skills / jeremylongshore / claude-code-plugins-plus-skills / windsurf-security-basics

windsurf-security-basics skill

safe

/plugins/saas-packs/windsurf-pack/skills/windsurf-security-basics

This skill helps you enforce Windsurf security by managing API keys, rotation, least privilege, and audit logging across environments.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill windsurf-security-basics

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

3.4 KB

---
name: windsurf-security-basics
description: |
  Apply Windsurf security best practices for secrets and access control.
  Use when securing API keys, implementing least privilege access,
  or auditing Windsurf security configuration.
  Trigger with phrases like "windsurf security", "windsurf secrets",
  "secure windsurf", "windsurf API key security".
allowed-tools: Read, Write, Grep
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# Windsurf Security Basics

## Overview
Security best practices for Windsurf API keys, tokens, and access control.

## Prerequisites
- Windsurf SDK installed
- Understanding of environment variables
- Access to Windsurf dashboard

## Instructions

### Step 1: Configure Environment Variables
```bash
# .env (NEVER commit to git)
WINDSURF_API_KEY=sk_live_***
WINDSURF_SECRET=***

# .gitignore
.env
.env.local
.env.*.local
```

### Step 2: Implement Secret Rotation
```bash
# 1. Generate new key in Windsurf dashboard
# 2. Update environment variable
export WINDSURF_API_KEY="new_key_here"

# 3. Verify new key works
curl -H "Authorization: Bearer ${WINDSURF_API_KEY}" \
  https://api.windsurf.com/health

# 4. Revoke old key in dashboard
```

### Step 3: Apply Least Privilege
| Environment | Recommended Scopes |
|-------------|-------------------|
| Development | `read:*` |
| Staging | `read:*, write:limited` |
| Production | `Only required scopes` |

## Output
- Secure API key storage
- Environment-specific access controls
- Audit logging enabled

## Error Handling
| Security Issue | Detection | Mitigation |
|----------------|-----------|------------|
| Exposed API key | Git scanning | Rotate immediately |
| Excessive scopes | Audit logs | Reduce permissions |
| Missing rotation | Key age check | Schedule rotation |

## Examples

### Service Account Pattern
```typescript
const clients = {
  reader: new WindsurfClient({
    apiKey: process.env.WINDSURF_READ_KEY,
  }),
  writer: new WindsurfClient({
    apiKey: process.env.WINDSURF_WRITE_KEY,
  }),
};
```

### Webhook Signature Verification
```typescript
import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string, signature: string, secret: string
): boolean {
  const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
```

### Security Checklist
- [ ] API keys in environment variables
- [ ] `.env` files in `.gitignore`
- [ ] Different keys for dev/staging/prod
- [ ] Minimal scopes per environment
- [ ] Webhook signatures validated
- [ ] Audit logging enabled

### Audit Logging
```typescript
interface AuditEntry {
  timestamp: Date;
  action: string;
  userId: string;
  resource: string;
  result: 'success' | 'failure';
  metadata?: Record<string, any>;
}

async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> {
  const log: AuditEntry = { ...entry, timestamp: new Date() };

  // Log to Windsurf analytics
  await windsurfClient.track('audit', log);

  // Also log locally for compliance
  console.log('[AUDIT]', JSON.stringify(log));
}

// Usage
await auditLog({
  action: 'windsurf.api.call',
  userId: currentUser.id,
  resource: '/v1/resource',
  result: 'success',
});
```

## Resources
- [Windsurf Security Guide](https://docs.windsurf.com/security)
- [Windsurf API Scopes](https://docs.windsurf.com/scopes)

## Next Steps
For production deployment, see `windsurf-prod-checklist`.

Overview

This skill packages Windsurf security best practices for managing API keys, tokens, and access control. It focuses on safe secret storage, rotation, least-privilege configurations, and audit logging to reduce risk. Use it to harden Windsurf integrations across development, staging, and production environments.

How this skill works

The skill inspects common secret handling and access patterns and provides concrete steps: store keys in environment variables, ignore .env files from source control, rotate keys regularly, and apply minimal scopes per environment. It also includes guidance for service-account patterns, webhook signature verification, and audit logging to detect and remediate issues.

When to use it

Securing Windsurf API keys or tokens before deploying code.
Auditing existing Windsurf configuration for exposed secrets or excessive scopes.
Implementing least-privilege access across dev, staging, and prod.
Setting up or validating webhook signature verification.
Designing audit logging for Windsurf API activity and compliance checks.

Best practices

Never commit .env files or secrets to version control; add .env and related files to .gitignore.
Store API keys in environment variables or a secrets manager and avoid hard-coding keys in code.
Rotate keys on a regular schedule and immediately rotate any key detected in a leak.
Assign minimal scopes per environment: read-only for dev, limited write for staging, and only required scopes for production.
Use distinct keys for service roles (reader, writer) so you can revoke or rotate one key without impacting others.
Validate webhook signatures with timing-safe comparison and log verification failures for investigation.

Example use cases

Set up distinct Windsurf read and write service accounts for a microservice architecture.
Run a pre-release audit to ensure no API keys are present in the codebase and scopes are minimal.
Add a CI step that checks key age and triggers rotation reminders for keys older than the policy threshold.
Implement webhook handlers that verify signatures with HMAC SHA-256 and log mismatches.
Enable audit logging for critical API calls and stream entries to both Windsurf analytics and internal logs for compliance.

FAQ

How often should I rotate Windsurf API keys?

Rotate keys regularly based on your risk profile; a common cadence is every 90 days, and immediately rotate if a key is exposed.

Can I store Windsurf keys in CI/CD pipelines?

Yes, store keys in the pipeline's secure secret store or a dedicated secrets manager and avoid exposing them in logs or build artifacts.