Skip to main content

Runtime security

Security-relevant runtime defaults for app origin, image hosts, browser headers, and protected routes.

SectionApplication / Runtime
PurposeRuntime security reference
UpdatedJul 6, 2026
AuthorTemplate Maintainers
Versionv1.2.0
Reading time1 min

Runtime security

The template includes baseline runtime safeguards that should stay visible when the service is adapted for production.

Public application URL

Production deployments require a configured public base URL. Keep BETTER_AUTH_URL, NEXT_PUBLIC_APP_BASE_URL, and any deployment-domain logic aligned with the real domain users open in the browser.

Remote images

Image optimization uses a strict remote host policy. Add only the image hosts that the product needs. Do not allow arbitrary remote image domains.

Browser headers

The application sets baseline browser security headers globally. Review them before adding embeds, iframes, or third-party scripts so product requirements do not weaken the default protection silently.

Route protection

Protected pages require a valid Better Auth session. /api/v1 is intentionally outside the browser session boundary and authenticates with API keys instead.