This document outlines security best practices for users and developers of the Saxo Portfolio Home Assistant integration.
- Always use the simulation environment initially to test the integration
- Create dedicated application credentials specifically for Home Assistant
- Never share your App Key or App Secret with others
- Store credentials securely using Home Assistant's Application Credentials system
- Rotate credentials periodically (recommended every 6 months)
- OAuth tokens are automatically encrypted and stored in Home Assistant's config entries
- Tokens are automatically refreshed before expiration
- Never manually copy or store OAuth tokens outside of Home Assistant
- If you suspect token compromise, revoke access in the Saxo Developer Portal
- Ensure Home Assistant instance uses HTTPS (SSL/TLS) for external access
- All API communication with Saxo uses HTTPS with certificate verification
- The integration respects Saxo's rate limits to prevent abuse
- Start with simulation environment before switching to production
- Simulation environment uses
https://gateway.saxobank.com/sim/openapi - Production environment uses
https://gateway.saxobank.com/openapi - Environment selection is enforced at both authentication and API levels
- Portfolio data is only stored temporarily in Home Assistant's memory
- No sensitive financial data is logged in debug messages
- Error messages are sanitized to prevent information leakage
# ✅ CORRECT - Use application credentials system
credentials = await async_get_application_credentials(hass, DOMAIN)
app_key = credentials.client_id
# ❌ WRONG - Never hardcode credentials
app_key = "hardcoded_key"# ✅ CORRECT - Log error type, not details
_LOGGER.error("Authentication failed: %s", type(e).__name__)
# ❌ WRONG - Could leak sensitive information
_LOGGER.error("Authentication failed: %s", str(e))- Always use HTTPS endpoints
- Implement proper SSL certificate verification
- Include rate limiting with exponential backoff
- Use secure random state parameters for OAuth
- Access tokens should only be retrieved from config entries
- Implement token refresh before expiration
- Use secure storage provided by Home Assistant
- Log token operations at debug level only
The integration includes:
- SSL certificate verification enforcement
- OAuth state parameter validation
- Rate limiting implementation
- Sanitized error logging
Regularly review:
- Application credentials in Saxo Developer Portal
- Home Assistant access logs
- Integration error logs
- OAuth token expiration and refresh
If you discover a security vulnerability:
- Do not create a public GitHub issue
- Email security concerns to the maintainers
- Provide detailed information about the vulnerability
- Allow reasonable time for investigation and fix
This integration follows:
- OAuth 2.0 security best practices
- Home Assistant security guidelines
- Industry standard rate limiting
- Secure credential management patterns
- Security guidelines: Last updated 2025-09-10
- Next review scheduled: 2026-03-10
For questions about security practices, consult the Home Assistant security documentation or contact the integration maintainers.