How FeaturePeek manages security
December 29, 2020 · 4 minute read
How we engineered the security behind the FeaturePeek deployment preview platform
Written by Brad Johnson
Head of Marketing
Hero image courtesy of pexels.com
Table of Contents
- 1. FeaturePeek deployment previews are private by default
- 2. We never store your source code on our side
- 3. We never write code directly to your repo
- 4. We use HTTPS everywhere
- 5. Your app is completely isolated from other users’ apps
- 6. FeaturePeek environment variables are encrypted at rest
- 7. We use a password manager (and you should too!)
- Learn more
The development of web applications requires the cooperation of many roles; from design, to engineering, product management and operations. But security isn’t something that’s simply designed and done. Instead, effective security requires the coordinated buy-in of organizational leadership, designers, and the developers building and running the application. This is true about web applications that are being developed. But it’s also true about the third-party services that a web application depends on to function. If a third-party is vulnerable, it’s possible that a dependency on it could compromise your application.
This isn’t limited to production services, either. It makes sense that if an infrastructure provider (like AWS) is compromised, it would affect your production application. But what about during the development, staging, and product review phases? If you’re a web agency with enterprise clients, you might be working with sensitive proprietary information. Likewise, if you’re a developer at a major technology company, the website you’re building may be for a product that hasn’t even been announced yet.
So it’s no surprise that one of the most common questions we get asked by new users is “How do you manage security at FeaturePeek?” In order to help our users better understand our security objectives and practices, that’s why we put together this blog post.
Did you know that some deploy preview experiences are indexable on Google? But that’s not the case with FeaturePeek. Our deployment previews are private by default, meaning that even if someone has a deploy preview URL, they can only access it if they’re logged in and on the team that owns the project. This way, you can ensure that only approved stakeholders have access to view your in-progress work and keep wandering eyes out.
FeaturePeek never stores your source code on our side. We request access to a repo’s source code to read the
peek.yml configuration file, in order to see which repos are opted-in to FeaturePeek. This enables us to detect configuration details about each frontend, like the type of frontend architecture, and whether you to specified if your project is a static or Docker project.
The only time we write references is via a pull request: when a user follows the project setup wizard and requests a GitHub Actions template to be added to their repo. Outside this particular exception, FeaturePeek will never write code directly to a repo. Configuring FeaturePeek doesn’t touch any of your production deployments, so you can tinker away without fear of screwing things up for your own customers.
To ensure proper encryption and security for FeaturePeek deployment previews, we exclusively rely on HTTPS-enabled URLs. Not only do we think this is a “no-brainer” best practice for your deploy previews, but we hope it helps give everyone that you send a FeaturePeek deployment preview link an added sense of confidence in content of what they’re about to review.
Every FeaturePeek environment gets its own namespace in the cluster, so it’s completely isolated from other FeaturePeek users’ deployments. We chose to make this security design decision in order to make sure all our users’ deployment previews stay private and that their code is only accessed by authorized users.
Rest assured (excuse the pun) that we encrypt all environment variables. If your encrypted environment variables were ever hacked/stolen, their values couldn’t be recovered. We encrypt your environment variables to ensure your proprietary information and technological secret sauce is safely under lock and key. If you want to learn more about how Auth works at FeaturePeek, you can read more about it in our docs.
We’re big fans of password managers at FeaturePeek. Beyond the convenience of not needing to remember which password you use for each service, by choosing to use a password manager, you’re making it easy for yourself to make good decisions about your accounts and password choices. Whether you choose LastPass, 1Password, Google Password Manager, or another service, password managers are a simple way anyone can improve their own security on the Web.
FeaturePeek turns your deployment previews into the hub for your team’s frontend product review. It’s the easiest way for UI/UX teams to collaborate on frontend code, and integrates with familiar tools so you can continue to use the services that you’ve come to know and love. From Continuous Integration services to container registries, and from bug tracking platforms to getting notified in Slack, we’ve got you covered.
FeaturePeek provides collaborative frontend staging environments on-demand, so you can collect implementation feedback from stakeholders sooner. Learn more about FeaturePeek Teams, our collaborative tool that supercharges deployment previews for development teams.