Skip to main content

Security

SDK signing

Validate:

  • X-Qefro-Signature
  • X-Qefro-Timestamp
  • protocol headers

Secrets

  • store in secret manager
  • rotate regularly
  • avoid plaintext in source control

Least privilege

  • narrow tool permissions
  • separate staging and production credentials

Production recommendations

  • short token lifetimes
  • access logs and audit review
  • periodic secret rotation drills