This template ships with secure defaults, but security is contextual. Use this as a baseline.

• Never commit .dev.vars.
• Use wrangler secret bulk for production secrets (ex: BETTER_AUTH_SECRET) via pnpm secrets:bulk with CI-provided env vars or a DEV_VARS file.
• Validate env vars with Zod at runtime (see apps/api/src/env.ts).

• Prefer same-origin proxy for cookie sessions:
  • browser → apps/web (public) → Service Binding → apps/api
• The API Worker enforces an Origin allowlist for cookie-based write requests (POST|PUT|PATCH|DELETE):
  • default trusted origin: new URL(BETTER_AUTH_URL).origin
  • add trusted origins via AUTH_TRUSTED_ORIGINS (comma-separated)
• Use bearer/JWT patterns only when you understand token storage risks.

• Validate all external input with Zod (JSON bodies, query params, route params, headers).
• Treat TypeScript as compile-time only; never trust unvalidated input at runtime.

• Avoid CORS when possible by using the same-origin proxy model.
• If you must enable CORS, use an allowlist; do not use * with credentials.
  • In production, apps/api rejects CORS_ORIGINS=* at startup.

• In production, apps/api enables global_fetch_strictly_public so same-zone fetch() goes through the public edge and respects Workers/routes/security.

• KV is eventually consistent: treat it as a cache or best-effort secondary store.
• Do not use KV as a source of truth for locks, inventory, or counters.

• Use Durable Objects for strong consistency and coordination.
• Authenticate/authorize DO-backed endpoints.
• Keep DO state minimal; persist important state to D1.

• Responses include x-request-id; error envelopes include requestId.
• Enable observability and upload_source_maps in production Workers.