API Key
- Keys should only be stored server-side, in CI secrets or local controlled configs — never in frontend code, public repos, screenshots or logs.
- After creating a Key, assign it per project and environment, and regularly rotate production Keys.
- If a leak is discovered, immediately disable or delete the Key and trace abnormal calls via request logs.
Account & Session
- Login failure messages should not distinguish between non-existent username, wrong password or account status to reduce enumeration risk.
- Write operations involving cookie sessions should validate Origin or use equivalent CSRF protection.
- Sensitive write operations should have permission checks, confirmation prompts, audit trails and rollback strategies.
Report Security Issues
- If you discover a vulnerability, Key leak, abnormal charges or suspicious calls, submit via the Contact page with Request ID, time range and impact description.
- Please do not publish reproducible vulnerability details, real Keys, account info or request content in public channels.