This document outlines security best practices implemented in this repository and verification steps before sharing.

• ✅ .env.local excluded from version control via .gitignore
• ✅ .env.example contains only placeholder values
• ✅ All environment variables prefixed with VITE_ for Vite security model
• ✅ No hardcoded API keys or secrets in source code

• ✅ .gitignore configured to exclude:
  • All .local files
  • Environment configuration files
  • Build artifacts
  • Editor-specific files
  • Validation and temporary files
  • Playwright MCP cache

• ✅ README includes security warnings about .env.local
• ✅ Setup instructions emphasize never committing credentials
• ✅ Blog post contains no actual API keys or sensitive endpoints
• ✅ Screenshots contain no visible API keys or sensitive data

• ✅ API keys accessed only via environment variables
• ✅ No credentials logged to console
• ✅ Error messages don't expose sensitive information
• ✅ TypeScript type safety for all configurations

Before pushing to a public repository, verify:

# Search for potential secrets in tracked files
git grep -i "api[_-]key" -- ':!.env.example'
git grep -i "password"
git grep -i "secret"
git grep -i "token" -- ':!package*.json'

# Check for specific endpoint patterns
git grep -E "https://.*\.cognitiveservices\.azure\.com" -- ':!.env.example' ':!BLOG_POST.md' ':!README.md'

# This should return "Ignored files"
git status --ignored

# This should NOT show .env.local
git ls-files

# Check what will be committed
git diff --cached

# Ensure no .env.local changes
git diff --cached -- .env.local

# List untracked files
git status --short

# Remove unnecessary files
git clean -n  # Dry-run first
git clean -fd # Actually remove

If you accidentally commit API keys or secrets:

1. Rotate Compromised Keys Immediately

   • Go to Azure Portal
   • Navigate to your resource → Keys and Endpoints
   • Click "Regenerate" for compromised keys
   • Update .env.local with new keys

2. Remove from Git History

   # For the last commit
   git rm --cached .env.local
   git commit --amend --no-edit
   git push --force
   
   # For older commits, use git filter-branch or BFG Repo-Cleaner

3. Verify Removal

   git log --all --full-history -- .env.local

4. Monitor Azure Resource

   • Check for unusual API usage
   • Review audit logs
   • Set up alerts for suspicious activity

• No API keys in any committed files
• No sensitive endpoints in code (only in .env.example as placeholders)
• .env.local not tracked by Git
• .gitignore properly configured
• All secrets rotated if previously exposed
• README includes security warnings
• Screenshots reviewed for sensitive data
• Package.json has proper metadata
• Dependencies are up-to-date
• No personal info in commit messages
• License file added (if applicable)

For production deployments beyond this demo:

• Use Azure Key Vault for secret management
• Enable Managed Identity instead of API keys
• Set up Azure Private Link for network isolation
• Configure Azure Monitor for audit logging
• Enable Azure Defender for threat protection

• Implement rate limiting on API endpoints
• Add authentication/authorization for user access
• Use HTTPS only (configured in Azure App Service)
• Enable CORS with specific origins only
• Implement input validation on user prompts
• Add output filtering for sensitive data

• Use separate environments (dev, staging, prod)
• Implement secret scanning in CI/CD pipelines
• Require code reviews for all changes
• Enable dependency scanning (GitHub Dependabot)
• Use branch protection rules

• Azure Security Best Practices
• OWASP Top 10
• Git Secret Scanning
• Azure Key Vault Documentation

Last Updated: February 4, 2026 Status: ✅ All security checks passed - Repository is clean for public sharing