Browse documentation

Operate

Security checklist

Move from a working install to a production-hardened feedback path.

Browser installation

  • Use only the browser-safe project key in widget code.
  • Restrict allowed origins after verifying the real domain.
  • Add the widget and screenshot dependencies to Content Security Policy where required.
  • Enable captcha when a public form attracts automated abuse.
  • Keep attachment types and size limits narrow.

Server integrations

  • Store REST API keys and webhook secrets in environment variables.
  • Rotate credentials after exposure or staff access changes.
  • Verify generic webhook signatures against the unmodified raw request body.
  • Allow outbound webhook targets deliberately and avoid private network addresses.
  • Log delivery IDs and handle duplicate events safely.

Public boards

  • Review an item before making it public.
  • Remove personal or confidential details.
  • Moderate reports and team replies.
  • Use private visibility while configuring a board.
  • Treat directory listing as separate consent from public URL access.