Prox OS Internal Docs
TrustSecurityBaseline

Early Security Baseline

Founder Preview baseline. Not a formal security program.

Status

Founder Preview baseline. Not a formal security program.

Required Baseline

  • Store Cloudflare Workers secrets in Cloudflare, not in git.
  • Keep secrets, tokens, API keys, and real .env values out of the repo.
  • Protect or disable admin/debug routes before public exposure.
  • Use basic rate limiting for public API surfaces.
  • Add Turnstile or equivalent friction to risky public forms when they exist.
  • Verify Stripe webhook signatures before any live payment workflow.
  • Log API errors and payment webhook events when payment testing begins.
  • Authorize R2 uploads before accepting user content.
  • Keep Moments-like personal data private by default.
  • Avoid sensitive data during Founder Preview.

Clean Default

If a feature cannot explain who can access the data, how it is logged, how it can be deleted, and what happens if abuse occurs, it should stay internal or disabled.

On this page