Security principles and implementation for the vibe-coding-starter-kit.

• Frontend -> API: CORS-restricted to configured origins, scoped to GET/POST/DELETE/OPTIONS
• API -> B2: Authenticated via B2_APPLICATION_KEY_ID + B2_APPLICATION_KEY, signature v4
• Client -> B2: Presigned URLs for download (10-min expiry, Content-Disposition: attachment)

• Filename sanitization: path traversal, null bytes, unsafe chars stripped
• MIME/extension consistency check against allowlist
• Chunked streaming with size enforcement (100MB default)
• Content-type allowlist (images, PDFs, text, archives, audio/video)
• Empty file rejection

• All file endpoints require keys to start with allowed prefixes (uploads/)
• Path traversal patterns rejected (../, %2e%2e, null bytes)

• Presigned URLs force Content-Disposition: attachment
• Prevents inline rendering of user-uploaded content (XSS mitigation)

• All secrets loaded via environment variables (pydantic-settings)
• Never committed to source control
• .env.example documents required variables without values

• Never commit .env, credentials, or API keys
• Never weaken validation without explicit instruction
• Never bypass CORS, auth, or input sanitization
• Always validate at system boundaries