Encryption in transit
- Production web traffic is delivered over HTTPS.
- LMS launch and API calls should use HTTPS endpoints.
- Outbound LMS requests enforce HTTPS and configured host allowlists.
Encryption at rest
Database, object storage, and hosting providers are expected to use provider-backed encryption at rest for production data. Specific encryption implementation details depend on the configured provider, plan, region, and customer agreement.
Secrets and credentials
- Production secrets should be stored in deployment provider environment variables, not committed to source control.
- JWT secrets must be strong and unique per environment.
- High-value API keys should be rotated when exposure or operational risk is identified.