TrustSecurityBaseline
Early Security Baseline
Founder Preview baseline. Not a formal security program.
Status
Founder Preview baseline. Not a formal security program.
Required Baseline
- Store Cloudflare Workers secrets in Cloudflare, not in git.
- Keep secrets, tokens, API keys, and real
.envvalues out of the repo. - Protect or disable admin/debug routes before public exposure.
- Use basic rate limiting for public API surfaces.
- Add Turnstile or equivalent friction to risky public forms when they exist.
- Verify Stripe webhook signatures before any live payment workflow.
- Log API errors and payment webhook events when payment testing begins.
- Authorize R2 uploads before accepting user content.
- Keep Moments-like personal data private by default.
- Avoid sensitive data during Founder Preview.
Clean Default
If a feature cannot explain who can access the data, how it is logged, how it can be deleted, and what happens if abuse occurs, it should stay internal or disabled.