> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kleap.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Keep your app and data safe

Kleap builds fast **static Astro sites**, and a lot of security is handled for you. Because your published site is static, there's no server code or secret keys living inside it for attackers to reach. This page explains what's protected automatically and the few things you should still keep in mind.

## Safe by default

Every Kleap site ships with these protections built in:

* **HTTPS everywhere** - SSL is automatic on your `{app}.kleap.io` address and on any custom domain you connect. Nothing to configure.
* **No server secrets in the site** - Your published site is static HTML/CSS/JS. Kleap never bundles secret keys or credentials into it.
* **Server-validated forms** - Form submissions are validated, sanitized, and rate-limited by Kleap before they reach you. No setup required.
* **Secure headers** - XSS protection, HSTS, and other hardening headers are applied for you.
* **Pre-build checks** - Before publishing, Kleap scans for accidentally exposed secrets and unsafe patterns.

## Pre-Build Security Checks

Before your site goes live, Kleap automatically scans for:

* **Exposed secrets** - Secret API keys or passwords accidentally placed in the site
* **Hardcoded credentials** - Tokens or private keys that don't belong in a public site
* **Unsafe patterns** - Risky code such as injecting unescaped user content (XSS risks)

<Warning>
  Never paste secret keys, passwords, or private tokens into your prompts or anywhere in your site. Anything in a published static site is public. See "Keep secrets out of your site" below.
</Warning>

## Keep secrets out of your site

Your published site is static, which means **anything inside it can be viewed by anyone**. That's fine for the code that runs your pages, but it means secrets must never live there.

* **Publishable keys are OK.** Keys that are designed to be public — like a Stripe **publishable** key (`pk_live_...` / `pk_test_...`) — are safe to include in a site.
* **Secret keys are never OK.** A secret key (`sk_live_...`), database password, or private API token must **never** appear in your site or in a prompt.

```txt theme={null}
✅ Safe in a site:  Stripe publishable key  pk_live_...
❌ Never in a site: Stripe secret key       sk_live_...
❌ Never in a site: passwords, private tokens, database credentials
```

If a feature you want needs a secret to work, it belongs on a server — not in a static site. Kleap's built-in **Database** and **Forms** (below) already handle the common cases server-side for you.

## User accounts & dynamic data

Need logins, saved data, or content that changes per user? Turn on the **Kleap Database** — a managed database with built-in user accounts. It's optional and available on demand; just ask the AI to add it when your app needs it. You don't connect or manage any outside database yourself.

### Built-in accounts

Kleap Database includes **email + password user accounts** with the sign-up and log-in UI provided for you. Passwords are hashed and sessions are managed securely — you don't have to build any of it.

### Each user sees only their own data

Data access is scoped per user, so each signed-in user can only see and change **their own rows**. This is the primary defense for your data: even though many users share one database, Kleap keeps everyone's data separated at the database level.

<AccordionGroup>
  <Accordion title="Scope data to the signed-in user">
    Kleap ensures a user only ever reads or writes rows that belong to them. When you add data features through Kleap, ask the AI to make sure each table is scoped to the current user so no one can read someone else's records.

    ```
    Make sure my [posts] table is protected so each user
    can only see and edit their own rows.
    ```
  </Accordion>

  <Accordion title="Protect pages behind a login">
    For pages that should only be visible to signed-in users (like a dashboard or account area), put them behind a login gate. Ask the AI to add authentication so visitors must sign in before they can view the page.

    ```
    Add a login and only let signed-in users see the dashboard page.
    ```
  </Accordion>

  <Accordion title="Let Kleap validate input">
    You don't write server code, so input validation on saved data and form submissions is handled by Kleap. Still keep messages and inputs sensible on the page (e.g. required fields, reasonable lengths) for a good user experience.
  </Accordion>
</AccordionGroup>

## Forms

Contact and lead forms you add with Kleap are handled server-side by Kleap. Every submission is **validated, sanitized, and rate-limited** automatically, then delivered to your dashboard. There's nothing to configure and no keys to manage — spam and abuse protection is built in.

## Common Vulnerabilities

### What Kleap helps prevent

| Vulnerability                | Protection                                                               |
| ---------------------------- | ------------------------------------------------------------------------ |
| **Exposed secrets**          | Pre-build scanning; static sites carry no server secret keys             |
| **XSS**                      | Content is auto-escaped by default; unsafe raw-HTML patterns are flagged |
| **Insecure transport**       | HTTPS enforced automatically on every site and custom domain             |
| **Form spam / abuse**        | Kleap validates, sanitizes, and rate-limits every submission             |
| **Data leaks between users** | Each user is scoped to their own rows                                    |

### What you should keep in mind

* **Keep secrets out of the site** - Only publishable keys belong in a static site.
* **Don't expose sensitive data** - Don't display private information on a public page.
* **Protect the right pages** - Put account/dashboard pages behind a login.
* **Scope data per user** - Confirm each data feature is limited to the signed-in user.

## Security Checklist

Before launching, verify:

<Steps>
  <Step title="No secrets in the site">
    Only publishable keys are used; no secret keys, passwords, or private tokens anywhere in the site or your prompts.
  </Step>

  <Step title="Accounts (if used)">
    If your app has logins, they use Kleap's built-in accounts.
  </Step>

  <Step title="Data scoped per user">
    If you store data, Kleap limits each user to their own rows.
  </Step>

  <Step title="Protected pages">
    Private pages (dashboards, account areas) are behind a login.
  </Step>

  <Step title="HTTPS">
    Your site and any custom domain load over HTTPS (automatic with Kleap).
  </Step>
</Steps>

## Reporting Vulnerabilities

Found a security issue? Contact us:

* Email: [security@kleap.co](mailto:security@kleap.co)
* We'll respond within 24 hours
* Responsible disclosure appreciated

## Compliance

* **GDPR** - Kleap supports EU data protection practices.
* **Encryption in transit** - All traffic is served over HTTPS/TLS.
* **Other requirements** - Have a specific compliance need? [Contact us](mailto:security@kleap.co).

<Card title="Security Tips" icon="shield-check" href="/tips/security-tips">
  Detailed guide to avoiding security pitfalls
</Card>
