Authentication and sessions
The console uses Better Auth for login and sessions. Production configuration must be proven with readback evidence for secure cookies, trusted origins, HTTPS, callback URLs, and cookie scope.
Credential handling
Deploy tokens, database URLs, SSH keys, and third-party secrets should be injected only as runtime secrets, never committed to repositories or public docs.
Deployment isolation
Appaloft records deploy paths, health checks, and rollback state. Runtime isolation for applications depends on the server and resource configuration you choose.
Audit and observability
Sensitive operations should leave auditable events, logs, and status for diagnostics, rollback, and security investigation.
Production readiness
Security headers, CSP, email feedback, WAF/risk controls, and external provider settings need deployed-environment readback evidence. This page is not a security certification, compliance certification, or penetration test report.
Reporting issues
If you find a vulnerability, contact [email protected] and give us reasonable time to respond before public disclosure.