Apply FireCrawl security best practices for secrets and access control.
Use when securing API keys, implementing least privilege access,
or auditing FireCrawl security configuration.
Trigger with phrases like "firecrawl security", "firecrawl secrets",
"secure firecrawl", "firecrawl API key security".
Security best practices for Firecrawl API keys, webhook signature verification, and scraped content handling. Firecrawl API keys start with fc- and grant full access to scrape, crawl, map, and extract endpoints — protecting them is critical.
Prerequisites
Firecrawl API key
Understanding of environment variables
Webhook endpoint (if using async crawl callbacks)
Instructions
Step 1: Secure API Key Storage
# .env (NEVER commit to git)
FIRECRAWL_API_KEY=fc-your-api-key-here
# .gitignore — add these patterns
echo -e "\n.env\n.env.local\n.env.*.local" >> .gitignore
// Validate key exists before creating client
import FirecrawlApp from "@mendable/firecrawl-js";
if (!process.env.FIRECRAWL_API_KEY?.startsWith("fc-")) {
throw new Error("FIRECRAWL_API_KEY must be set and start with 'fc-'");
}
const firecrawl = new FirecrawlApp({
apiKey: process.env.FIRECRAWL_API_KEY,
});
Step 2: Verify Webhook Signatures
Firecrawl signs webhook payloads with HMAC-SHA256 via the X-Firecrawl-Signature header.
set -euo pipefail
# 1. Generate new key at firecrawl.dev/app
# 2. Deploy new key alongside old key
# 3. Verify new key works
curl -s https://api.firecrawl.dev/v1/scrape \
-H "Authorization: Bearer $NEW_FIRECRAWL_API_KEY" \
-H "Content-Type: application/json" \
-d '{"url":"https://example.com","formats":["markdown"]}' | jq .success
# 4. Remove old key from all environments
# 5. Delete old key in Firecrawl dashboard
Step 5: Sanitize Scraped Content
// Scraped web content may contain PII, scripts, or malicious data
function sanitizeScrapedContent(markdown: string): string {
return markdown
// Remove potential script injections
.replace(/<script[\s\S]*?<\/script>/gi, "")
// Remove data URIs (potential XSS vectors)
.replace(/!\[.*?\]\(data:.*?\)/g, "")
// Remove javascript: links
.replace(/\[.*?\]\(javascript:.*?\)/g, "")
// Strip HTML comments
.replace(/<!--[\s\S]*?-->/g, "")
.trim();
}
Security Checklist
API key stored in environment variable, never hardcoded