Security

Sessions use HTTP-only cookies via Supabase SSR.
Database access is scoped with row-level security.
Report concerns to security@sedora.app.