Please do not open public issues for security vulnerabilities.
Report vulnerabilities privately to maintainers with:
- affected endpoint/file
- impact description
- reproduction steps
- suggested remediation (if available)
- Never commit
.envfiles or service-account JSON credentials. - Rotate credentials immediately if exposure is suspected.
- Use immutable Cognito
subIDs for authorization decisions. - Restrict CORS origins and keep API keys out of client bundles.