Best Practices

Security

How xcelera handles your data and best practices for keeping your account secure.

Ephemeral audit infrastructure

xcelera runs every Lighthouse audit on an ephemeral machine that is destroyed after the test completes. This means:

  • No page data, credentials, or audit artifacts persist on the machine after the audit
  • Each audit gets a clean, isolated environment
  • There is no risk of data leaking between audits or organizations

This applies to all audits, including those for authenticated pages where credentials are decrypted on the machine and discarded when it is destroyed.

API token best practices

API tokens provide programmatic access to your organization. Keep them secure:

  • Store tokens in secrets management — use your CI provider's secret store (e.g. GitHub Actions secrets, environment variables). Never commit tokens to a repository.
  • Rotate tokens periodically — deactivate old tokens and generate new ones from Settings → API Tokens.
  • Use separate tokens per integration — if one is compromised, you can revoke it without affecting others.
  • Deactivate unused tokens — remove tokens for integrations you no longer use.

Webhook verification

Always verify webhook signatures to ensure requests are genuinely from xcelera. Each webhook endpoint has a signing secret used to compute an HMAC-SHA256 signature.

import crypto from 'node:crypto'
 
function verifyWebhook(body, secret, timestamp, signature) {
	const expected = crypto
		.createHmac('sha256', secret)
		.update(`${timestamp}.${body}`)
		.digest('hex')
 
	return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature))
}

Additionally, check the X-xcelera-Timestamp header to reject stale requests (e.g. older than 5 minutes) to prevent replay attacks.

See Webhooks for the full payload format and header details.

Secure page credentials

When auditing secure pages:

  • Credentials are encrypted in transit and at rest during the audit
  • Use short-lived tokens or session cookies rather than long-lived credentials
  • Credentials are never stored permanently — they exist only for the duration of the audit on an ephemeral machine

Account security

xcelera supports multiple layers of account security:

  • Two-factor authentication (2FA) — enable TOTP-based 2FA from Settings → Security
  • Passkeys — register FIDO2 passkeys for passwordless login
  • SSO — sign in with Google or GitHub
Help