If you discover a security vulnerability, please send an email to [email protected]. Do not report security vulnerabilities through public GitHub issues.

• API Key authentication required for all endpoints
• No default/weak keys in production
• Bearer token and X-API-Key header support

• Strict CORS policy (no wildcards in production)
• Domain-specific origins only
• Credentials support controlled

• All sensitive configuration via environment variables
• No hardcoded secrets in code
• Validation of required security variables

• Structured logging without sensitive data exposure
• Production log level controls
• Security event logging

• Regular dependency updates
• Security scanning with bandit and safety
• Minimal attack surface

• API_KEY: Strong API key (minimum 32 characters)
• SECRET_KEY: Cryptographic secret (minimum 32 characters)
• CORS_ORIGINS: Specific allowed origins (no wildcards)

• HTTPS enforced by Railway
• Environment isolation
• Secure variable storage
• Network-level protection

• API_KEY configured and strong
• SECRET_KEY configured and strong
• CORS_ORIGINS properly configured
• No wildcard CORS origins
• No hardcoded secrets in code
• Environment variables validated
• HTTPS enabled
• Logging configured for production
• Dependencies updated and scanned