Do not commit real values for:
- AWS access keys
- SMTP credentials
API_KEYDATABASE_URL- Dashboard JWT secrets
- Cloudflare tokens
- SSH keys or passwords
Use .env locally and keep .env.example as the public template.
The Docker Compose file binds the proxy to 127.0.0.1 by default. If you expose it publicly, put it behind HTTPS and keep API_KEY long and random.
Use a dedicated IAM user or role with only the SES/SQS permissions needed by the proxy.
For private deployments, report vulnerabilities through the repository's private security channel or directly to the repository owner.