# Security notes

The anti-inspect feature is a deterrent only. Any browser can view HTML/CSS/JS delivered to it. Protect real business logic and API keys on the server.

Implemented protections:

- Session-based authentication
- Admin authorization middleware
- Subscription gate middleware
- CSRF protection through Laravel web routes
- API key middleware for API route examples
- Security headers middleware
- Rate limiting on login/register/AI routes
- Encrypted payment gateway settings cast
- Payment callback verification adapter layer

Recommended before launch:

- Add provider-specific callback signature verification for every MFS provider
- Add two-factor admin authentication
- Add queue-based AI generation for heavy traffic
- Add audit logs for admin changes
- Add backup policy and WAF/CDN
- Perform penetration testing