Help Docs

Security best practices to handle sensitive data

Sensitive data such as cookies, tokens, and cloud credentials play a vital role in authentication and access control. Accidental exposure—like revealing inspect element data during screen sharing—can compromise accounts, sessions, and even your infrastructure. This article highlights essential precautions to ensure safe handling of cookies, tokens, and credentials.

Precautions and best practices

  • Cookies (session, iamadt, iambdt, CSRF tokens):
    • Never share screens or screenshots with cookies visible in browser tools. Either mask them or delete them.
    • Avoid copying and pasting cookies in unsecured chats or documents.
    • Regularly clear cookies from shared or public systems.
    • Learn more about the Site24x7 cookie policy.
  • Multi-layered authentication
    • Site24x7 TFA: Always enable two-factor authentication within your Site24x7 account for added login protection.
    • Account-level MFA: Ensure MFA is enabled at the account provider level (e.g., Zoho, Azure, AWS, or identity provider accounts) to secure access during login.
  • IP restrictions:
    • Restrict console and API access to trusted IP ranges.
    • Use VPNs for remote access to sensitive environments.
    • Restrict API access to trusted IP ranges wherever possible.
  • Device keys:
    • Register device keys only for trusted machines.
    • Revoke access for lost or decommissioned devices.
    • Avoid sharing device keys in public forums.
  • OAuth tokens:
    • Treat OAuth tokens as credentials—do not expose them in logs or URLs.
    • Use short-lived tokens with refresh mechanisms.
    • Rotate and revoke tokens if suspicious activity is detected.
  • If you’re using REST APIs with bots or third-party applications, always secure your API tokens:
    • Generate tokens with the least privilege required.
    • Avoid hard coding tokens into scripts or source code.
    • Rotate tokens periodically and revoke unused ones.
  • Cloud credentials (Azure/AWS):
    • Use IAM roles with least privilege, not root credentials.
    • Rotate access keys regularly and disable unused keys.
    • Store secrets in secure vaults (e.g., AWS Secrets Manager, Azure Key Vault).
  • Avoid sharing HAR files:
    • HAR files can contain sensitive data, so avoid sharing them. 
    • For secure troubleshooting, rely on Quartz recording instead of exporting or sharing HAR files.

Even a small oversight can have serious consequences. For example, during a screen-sharing session, exposing cookies or tokens through browser developer tools can allow an attacker to hijack your active session and gain unauthorized access to your account—no password required. Similarly, leaked AWS or Azure credentials can be exploited to spin up unauthorized resources or access sensitive data within minutes.

Was this document helpful?

Would you like to help us improve our documents? Tell us what you think we could do better.


We're sorry to hear that you're not satisfied with the document. We'd love to learn what we could do to improve the experience.


Thanks for taking the time to share your feedback. We'll use your feedback to improve our online help resources.

Shortlink has been copied!