Skip to main content
use-apify.com

Security: guides & tutorials

Scraping security: vault secrets, non-root containers, and scoped API keys. Keep proxy creds and datasets safer while running Apify Actors in production.

3 articles

View all tags

Scraping security means vaulting secrets, running non-root containers, and scoping API keys so proxy credentials and datasets stay safe. These guides cover hardening scrapers in production.

Leaky credentials and over-broad tokens are the common failure modes, and both are avoidable. Apify supports scoped tokens and secure storage. Below you will find security patterns for running scrapers safely.

Related topics

DevOps7 min read

VPS Security Hardening Checklist: Protect Your Server in 30 Minutes (2026)

· 7 min read
Yassine El Haddad
Software Developer & Automation Specialist

Default VPS configurations are insecure. Bots scan the internet for open ports and weak SSH configs within minutes of provisioning — brute-force attempts and exploit probes start almost immediately. A Liquid Web VPS gives you a solid foundation, but you still need to harden the OS. This guide walks through six essential steps to protect your server in about 30 minutes, whether you run self-hosted scrapers, APIs, or web apps.

Liquid Web9 min read

WireGuard VPN for Scraping: Secure Your VPS Traffic

· 9 min read
Yassine El Haddad
Software Developer & Automation Specialist

Running a scraping server on a public VPS without a VPN exposes your admin panel, Playwright cluster, and dataset store to the open internet. WireGuard solves this with a minimal kernel-level tunnel that routes all management traffic through an encrypted private channel — no IPsec complexity, no OpenVPN overhead.

This guide walks through installing and configuring WireGuard on a Liquid Web Ubuntu 22.04 VPS, generating keys, routing scraping-server traffic through the tunnel, and locking dashboards behind VPN-only access.

Guides on this site

Frequently asked questions

Frequently Asked Questions

Credential theft from scraped sites if you handle login flows, proxy credential exposure if stored improperly, malicious JavaScript execution if running untrusted pages in browsers, SSRF risks if actors accept arbitrary URLs from untrusted users, and data breach risks from storing scraped personal data without proper access controls.

Store credentials in Apify's environment variable secrets, never in actor source code or version control. Use scoped API tokens with minimum required permissions. Rotate tokens on a schedule and immediately after any potential exposure. Log all credential usage with timestamps. Use short-lived tokens for actor runs where possible.

SSRF when actors fetch user-supplied URLs without validation, injection risks in database writes from scraped content, broken access control if dataset permissions are too broad, security misconfiguration in proxy credentials and API keys, and insufficient logging when scrapers access personal data. Treat scraping infrastructure with the same rigor as web applications.

Implement rate limiting, use Cloudflare or Akamai bot management, add honeypot fields that legitimate users never trigger, use CAPTCHA on sensitive endpoints, monitor for suspicious traffic patterns, and review server logs for bot signatures. None of these measures are perfect—determined scrapers adapt—so focus on your actual risk exposure.