Security Overview

Core controls

• OAuth access/refresh tokens are encrypted at rest.
• OAuth token fields are not exposed in frontend DTOs or public API serializers.
• Session cookies use HttpOnly, Secure, and SameSite protections.
• CSRF defenses and request validation are applied for cookie-based authenticated actions.
• Rate limits protect auth, OAuth, upload, and publish endpoints from abuse.
• Workspace isolation controls prevent cross-tenant media/account access.
• Storage is non-public, using signed/same-origin upload paths and controlled object access.
• Media delete flows verify storage cleanup behavior where possible.
• Publish attempts are auditable with status/error tracking and token-safe logging.
• CI guardrails include secret scanning and security verification scripts.

Credential model

AI_SHORTS uses official OAuth authorization flows and does not request social platform passwords from users.

Responsible disclosure

To report a security issue, contact support@ai-shorts.ru with reproduction details and impact notes.