customerio-security-basics

# Customer.io Security Basics

## Overview
Implement security best practices for Customer.io integrations including credential management, PII handling, and access controls.

## Prerequisites
- Customer.io account with admin access
- Understanding of your data classification
- Environment variable management

## Instructions

### Step 1: Secure Credential Management
```typescript
// lib/secrets.ts
import { SecretManagerServiceClient } from '@google-cloud/secret-manager';

// Use a secrets manager instead of env vars for production
async function getCustomerIOCredentials(): Promise<{
  siteId: string;
  apiKey: string;
}> {
  // Option 1: Google Cloud Secret Manager
  const client = new SecretManagerServiceClient();
  const [siteIdVersion] = await client.accessSecretVersion({
    name: 'projects/PROJECT_ID/secrets/customerio-site-id/versions/latest'
  });
  const [apiKeyVersion] = await client.accessSecretVersion({
    name: 'projects/PROJECT_ID/secrets/customerio-api-key/versions/latest'
  });

  return {
    siteId: siteIdVersion.payload?.data?.toString() || '',
    apiKey: apiKeyVersion.payload?.data?.toString() || ''
  };
}

// Option 2: AWS Secrets Manager
import { SecretsManager } from '@aws-sdk/client-secrets-manager';

async function getCredentialsFromAWS() {
  const client = new SecretsManager({ region: 'us-east-1' });
  const response = await client.getSecretValue({
    SecretId: 'customerio-credentials'
  });
  return JSON.parse(response.SecretString || '{}');
}
```

### Step 2: PII Data Handling
```typescript
// lib/pii-handler.ts
import crypto from 'crypto';

// Hash sensitive identifiers before sending
function hashPII(value: string): string {
  return crypto
    .createHash('sha256')
    .update(value + process.env.PII_SALT)
    .digest('hex');
}

// Sanitize attributes before sending to Customer.io
function sanitizeUserAttributes(attributes: Record<string, any>): Record<string, any> {
  const sensitiveFields = ['ssn', 'credit_card', 'password', 'bank_