Security
Security
Security-sensitive deployments should focus on payload redaction, approval token handling, webhook signing, dashboard authorization, and retention.
Redaction
Keep redaction enabled for persisted JSON payloads and extend secret key patterns for your domain.
Approvals
Approval tokens are stored as SHA-256 hashes; plain tokens are returned only at issuance.
Webhooks
Set webhook.secret so receivers can verify HMAC signatures.
Dashboard
Replace the deny-by-default authorizer with app RBAC before exposing actions.
Displayed data
Dashboard DTOs return stored values. If stored values are not redacted, presentation code must redact them before display.
Last updated:
Edit this page
Recent commits
