Security
The Security tab sets cross-origin resource sharing, password requirements, and authentication behavior. Go to Settings → Security to access these settings.
CORS settings
Control which origins can access your API.
| Setting | Description |
|---|---|
| Enable CORS | When turned on, enables CORS for this project. |
| Allowed Origins | List of allowed CORS origins. Click + Add Origin to add more. |
Rate limiting
Set rate limits to prevent abuse.
| Setting | Default | Description |
|---|---|---|
| Requests Per Minute | 60 | Maximum number of requests allowed per minute. |
| Burst Limit | 100 | Maximum number of concurrent requests allowed. |
Other security settings
Set standard security headers.
| Setting | Default | Description |
|---|---|---|
| CSP Header Value | default-src 'self' | Content Security Policy header value. |
| X-XSS-Protection | 1; mode=block | X-XSS-Protection header value. |
| X-Frame-Options | SAMEORIGIN | X-Frame-Options header value. |
Password policy
Define password requirements for user accounts.
| Setting | Default | Description |
|---|---|---|
| Minimum Length | 8 | Minimum number of characters required. |
| Maximum Age (days) | 90 | Days before password expiration. |
| History Count | 5 | Number of previous passwords to remember (prevents reuse). |
Character requirements
Enable or disable specific character requirements:
| Requirement | Default | Description |
|---|---|---|
| Require Uppercase | Enabled | Require at least one uppercase letter. |
| Require Lowercase | Enabled | Require at least one lowercase letter. |
| Require Numbers | Enabled | Require at least one number. |
| Require Special Characters | Enabled | Require at least one special character. |
Authentication settings
Set how users authenticate with your application.
| Setting | Default | Description |
|---|---|---|
| Auth Type | JWT | Authentication mechanism. |
| JWT Secret | (hidden) | Secret key for JWT signing. Click the eye icon to reveal. |
| Token Expiration (seconds) | 3600 | How long access tokens remain valid. |
| Refresh Token Secret | (hidden) | Secret key for refresh token signing. |
| Refresh Token Expiration (seconds) | 604800 | How long refresh tokens remain valid (7 days default). |
| Password Salt Rounds | 10 | Number of bcrypt salt rounds for password hashing. |
warning
Keep your JWT Secret and Refresh Token Secret secure. Never expose them in client-side code or public repositories.
Related
- Settings Overview
- Roles — Set user roles and permissions