> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kleap.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Tips

> Keep your app and user data safe

Best practices for building secure applications with Kleap. Because Kleap publishes **static Astro sites**, much of the hard part is handled for you — but a few habits keep your app and users safe.

## The Golden Rules

<CardGroup cols={2}>
  <Card title="Keep secrets out of the site" icon="key">
    Only publishable keys belong in a static site — never secret keys.
  </Card>

  <Card title="Least privilege" icon="lock">
    Only show and store the data you actually need.
  </Card>

  <Card title="Protect the right pages" icon="shield-halved">
    Put account and dashboard pages behind a login.
  </Card>

  <Card title="Let Kleap validate" icon="layer-group">
    Forms and saved data are validated server-side for you.
  </Card>
</CardGroup>

## Keeping secrets safe

Your published site is static, so **anything inside it is public**. That changes the rules for secrets compared to a traditional server app.

```txt theme={null}
// ✅ Safe in a site — publishable keys are meant to be public
Stripe publishable key   pk_live_...

// ❌ Never in a site — anyone can read it
Stripe secret key        sk_live_...
password / private token / database credential
```

### What must stay out of your site

* Secret API keys (`sk_...`)
* Passwords and private tokens
* Database credentials
* Any other value you wouldn't post publicly

<Warning>
  Don't paste secret keys, passwords, or private tokens into your prompts either. If a feature needs a secret to work, it belongs on a server — use Kleap's built-in Database and Forms, which handle that for you.
</Warning>

## Protecting user data

If your app has logins or saves data, turn on the **Kleap Database** — a managed database with built-in user accounts. You don't connect or manage an outside database.

### Each user only sees their own data

**Per-user data isolation** is your primary defense: each signed-in user can only see and change **their own data**, even though everyone shares one database. When you add data features, ask the AI to confirm the data is scoped to the current user.

```
Can you check that my tables are protected so users can only
access their own data?
```

### Built-in accounts

Kleap Database ships with **email + password accounts** and the sign-up / log-in UI. Passwords are hashed and sessions are handled securely — you don't build any of it. To restrict who can see a page, put it behind a login:

```
Add a login and only let signed-in users see the account page.
```

## Input validation

You don't write server code on Kleap, so validation of saved data and form submissions is handled by Kleap on the server. On the page itself, still keep inputs sensible for a good experience:

* Mark required fields as required
* Keep messages and text fields to reasonable lengths
* Give clear error messages that **don't leak sensitive details**

## Forms

Any contact or lead form you add is processed server-side by Kleap. Every submission is **validated, sanitized, and rate-limited** automatically, then delivered to your dashboard. There are no keys to manage and spam protection is built in — nothing to set up.

## Preventing common attacks

### XSS (Cross-Site Scripting)

Content you display is escaped automatically, so ordinary text is safe. The risk comes from injecting **raw, unescaped HTML** from an untrusted source — avoid that pattern, and Kleap's pre-build checks will flag it if it slips in.

```txt theme={null}
✅ Safe   — display text normally; it's auto-escaped
❌ Risky  — injecting raw HTML from user input onto the page
```

### Data leaks between users

The way one user ends up seeing another user's data is missing per-user scoping. **Per-user data isolation** prevents this — confirm each data feature limits users to their own data.

### Transport security

All Kleap sites are served over **HTTPS/TLS automatically**, including custom domains, so traffic between your visitors and your site is encrypted with no setup.

## File uploads

If your app accepts uploads through a Kleap form, submissions are handled server-side with validation and rate limiting built in. Keep the on-page experience tidy by asking for only the file types and sizes you actually need.

## Security Checklist

Before launching:

* [ ] No secret keys, passwords, or private tokens anywhere in the site (only publishable keys)
* [ ] No secrets pasted into prompts
* [ ] If you store data, each signed-in user can only access their own data
* [ ] Private pages (dashboards, account areas) are behind a login
* [ ] Error messages don't leak sensitive info
* [ ] HTTPS enabled (automatic with Kleap)

## Security Review

Ask AI to review your app:

```
Can you do a security review of my app?
Check for:
- Any secrets accidentally left in the site
- Data that isn't scoped to the signed-in user
- Pages that should be behind a login
- Inputs that need clearer validation
```

<Warning>
  Security is ongoing. Regularly review your app as you add features.
</Warning>

<Card title="Security Features" icon="shield-check" href="/features/security">
  Built-in security features in Kleap
</Card>
