Zephexzephex
Dashboard

Security

Zephex is built around hosted HTTP transport, API-key authentication, strict input validation, and auditable request handling.

TRANSPORT
  • All endpoint traffic is expected to use HTTPS.
  • Security headers and redirect behavior should be validated with audit_headers after deploy.
  • The hosted MCP endpoint avoids local stdio transport and local package bridges.
KEYS
  • API keys are hashed in storage. Plaintext keys are not retained server-side.
  • If a key is exposed, rotate it immediately from the dashboard.
  • Keep separate keys by environment to reduce blast radius.
SESSIONS
  • Browser sessions should use secure cookie flags and short-lived access tokens.
  • Auth endpoints should be rate limited.
  • Editor traffic should always present a Bearer key explicitly.
MONITORING
  • Monitor failed authentication attempts and unusual request spikes.
  • Use audit logging for auth events and data changes.
  • Review rate-limit events and suspicious usage in the dashboard or support channel.