Security principles for search diagnostics.

Search data can reveal strategy. Search Lighthouse treats diagnostics, CSV uploads, and OAuth tokens as sensitive product data.

Server-side secrets

OpenAI, Supabase service role, Stripe, and Google OAuth secrets are server-only environment variables and are never exposed in browser bundles.

Provider tokens

Google Search Console OAuth tokens are encrypted before storage when GOOGLE_TOKEN_ENCRYPTION_KEY is configured and can be disconnected from account settings.

Usage controls

AI calls are rate-limited on the backend so users cannot bypass frontend controls and accidentally create runaway cost.

Report access

Dashboard reports are loaded through authenticated Supabase-backed ownership checks. Anonymous scan links remain separate from workspace-only report routes.