security
Security Considerations
- By default, only allowlisted environment variables are exposed to the frontend.
- ETag headers are set for cacheable assets.
- Security headers (CSP, X-Content-Type-Options, etc.) can be enabled.
- SPA fallback does not expose server internals.
- Review your allowlist and exposure mode for production deployments.