Provider keys stay in environment variables and are never exposed to the browser.
All public write routes use Zod validation, sanitization and safe error responses.
Dashboard, settings and admin routes are protected by middleware and session checks.
The app ships with frame, referrer, permissions and content-type protections in next.config.ts.