Runtime security
Security-relevant runtime defaults for app origin, image hosts, browser headers, and protected routes.
Runtime security
The template includes baseline runtime safeguards that should stay visible when the service is adapted for production.
Public application URL
Production deployments require a configured public base URL. Keep BETTER_AUTH_URL,
NEXT_PUBLIC_APP_BASE_URL, and any deployment-domain logic aligned with the real domain users open
in the browser.
Remote images
Image optimization uses a strict remote host policy. Add only the image hosts that the product needs. Do not allow arbitrary remote image domains.
Browser headers
The application sets baseline browser security headers globally. Review them before adding embeds, iframes, or third-party scripts so product requirements do not weaken the default protection silently.
Route protection
Protected pages require a valid Better Auth session. /api/v1 is intentionally outside the browser
session boundary and authenticates with API keys instead.