Security Notes#
Secrets: never commit; load from environment/secret stores; rotate immediately if exposure is suspected
Cookies: set
COOKIE_SECURE=trueon HTTPS; considerSameSite=Noneonly when needed (e.g., cross-site auth)CORS: restrict origins to the expected hostnames
Auth: prefer short-lived access tokens; store refresh tokens securely (encrypted at rest)
Headers: add
Content-Security-Policy,X-Frame-Options,Referrer-Policy