This document outlines important security considerations for the application, particularly related to CORS, database management, and environment-specific configurations.

The application uses different CORS configurations based on the environment:

• In development, the application uses a more permissive CORS configuration to allow for local development and ngrok tunneling.
• The frontend uses a proxy configuration to avoid CORS issues during development.
• Custom CORS middleware ensures proper handling of cross-origin requests.

• In production, strict CORS rules apply, with only specific allowed origins.
• No wildcards are used for allow_origins in production when credentials are required.
• The API URL in production should be an absolute URL to the API server, not a relative path.

• Database setup and reset scripts are included for development purposes.
• These scripts include safeguards to prevent accidental execution in production.
• They require explicit confirmation if run in a production environment.

• IMPORTANT: Never run the database reset scripts in production without a proper backup.
• Production database changes should be managed through proper migrations.
• Ensure proper database credentials and access controls in production.

The application uses environment-specific configuration:

• Set DEBUG=True in development to enable helpful debugging features.
• Use .env.docker and .env files for local development.
• Set ENVIRONMENT=development to enable development-specific features.

• Set DEBUG=False in production.
• Ensure all secrets (JWT, API keys, etc.) are properly secured and not hardcoded.
• Set ENVIRONMENT=production to disable development-specific features.
• Configure proper values for ALLOWED_HOSTS with specific domains.

• Implement proper authentication and authorization for all API endpoints.
• Use HTTPS in production.
• Limit exposed debugging endpoints in production.

• Regularly update dependencies to patch security vulnerabilities.
• Perform security audits of the codebase.
• Test for common vulnerabilities like XSS, CSRF, injection attacks, etc.

If you discover a security vulnerability, please send an email to [email protected]. Do not disclose security vulnerabilities publicly until they have been addressed by the team.