Security

Core controls

• Tenant-scoped authorization and access checks on protected routes
• CSRF protection for state-changing actions
• Session hardening with version-based invalidation support
• Rate limiting on auth and operational endpoints
• Audit-oriented security telemetry and anomaly signaling

Operational safeguards

• Controlled rollout flags with rollback runbook
• Billing redirect token replay and cross-session protection
• Pre-deploy backup gate in production smoke workflow

Security contact

Report potential vulnerabilities to support@carbonml.co.