Security in practice
I only publish demos with clear data boundaries, documented risk scope, and explicit ownership.
Principles
- Data minimization first: only the minimum required data is processed.
- Access is scoped and temporary test credentials are removed before release.
- Every demo states what it does, what it does not do, and where data is not reused.
Release checklist
- Dependencies and deployment settings reviewed.
- External integrations and secret handling verified.
- Core error paths and rollback notes documented.
Production-first trust
- No public AI input processing in showroom pages.
- Cost control through limited and predictable runtime paths.
- Privacy-first logging with only operational minimum data.
- CSP and asset hygiene with no external runtime script/style/font dependencies.
Tooling and boundaries
I use lightweight tooling and keep operational limitations transparent. Practical patterns are listed on a dedicated page.