Operate
Security checklist
Move from a working install to a production-hardened feedback path.
Browser installation
- Use only the browser-safe project key in widget code.
- Restrict allowed origins after verifying the real domain.
- Add the widget and screenshot dependencies to Content Security Policy where required.
- Enable captcha when a public form attracts automated abuse.
- Keep attachment types and size limits narrow.
Server integrations
- Store REST API keys and webhook secrets in environment variables.
- Rotate credentials after exposure or staff access changes.
- Verify generic webhook signatures against the unmodified raw request body.
- Allow outbound webhook targets deliberately and avoid private network addresses.
- Log delivery IDs and handle duplicate events safely.
Public boards
- Review an item before making it public.
- Remove personal or confidential details.
- Moderate reports and team replies.
- Use private visibility while configuring a board.
- Treat directory listing as separate consent from public URL access.