If you identify a security issue in authentication, authorization, file upload handling, or exposed credentials, report it privately to the maintainer instead of opening a public issue.

• Do not commit real .env files
• Rotate credentials immediately if they have been exposed
• Review upload validation rules and JWT handling carefully before production use