# Security

Security documents how AeThex protects identity, data, projects, organizations, APIs, and operational systems.

<div class="docs-section-heading">
  <h2>Security posture</h2>
  <p>Security is a platform-wide responsibility, not a single feature.</p>
</div>

Security spans [[Passport]], [[Authentication]], [[Permissions]], [[Security-Model]], infrastructure, API behavior, secret handling, audit logs, and user education.

## Security priorities

- Protect identity and session flows.
- Keep secrets out of client code and public repos.
- Enforce least-privilege permissions.
- Audit sensitive actions.
- Harden API and webhook integrations.
- Document incident response and disclosure expectations.

## Practical checklist

1. Use Passport for identity flows.
2. Validate tokens server-side.
3. Check authorization after authentication.
4. Rotate compromised credentials.
5. Log admin and security-sensitive actions.
6. Review access regularly.

<div class="docs-grid">
<a class="docs-card" href="/Security-Model">Security Model</a>
<a class="docs-card" href="/Authentication">Authentication</a>
<a class="docs-card" href="/Permissions">Permissions</a>
<a class="docs-card" href="/Policies">Policies</a>
</div>

> [!WARNING]
> Never paste production secrets, tokens, private keys, or credentials into public docs, tickets, chats, screenshots, or issue trackers.
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9