security/best-practices.md
Security Best Practices
Auth
- keep
MINO_AUTH_MODE=api-key - never expose API keys in logs
- use
X-Mino-Keyexactly
Network
- prefer relay mode if you do not need direct ingress
- if exposing directly, use HTTPS and reverse proxy hardening
- restrict CORS origins to trusted hosts
Ops
- monitor
/api/v1/security/auditregularly - keep container images updated
- preserve and secure
/databackups - rotate relay pair code if onboarding links are leaked