> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mufi.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Best Practices

> Security guidelines for building with the Mufi API

Follow these practices to keep your integration and your users safe.

## API Key Security

<Warning>
  Your API key grants full access to your project. Treat it like a password.
</Warning>

* **Store in environment variables** — never hardcode keys in source code or commit them to version control
* **Server-side only** — API keys should only be used on your backend. Never expose them in client-side code, mobile apps, or browser JavaScript
* **Rotate when compromised** — if you suspect a key has been leaked, regenerate it immediately from the [Mufi Dashboard](https://my.mufi.app)
* **Least privilege** — use read-only keys for endpoints that only need to query data

## Dashboard Access

* **Limit access** — only grant Mufi Dashboard access to team members who need it
* **Use strong authentication** — set up a time-based one-time password (e.g., Google Authenticator) for your dashboard account
* **Audit regularly** — review who has access to your project and remove inactive team members

## Transport Security

* **Always use HTTPS** — all requests to the Mufi API must use HTTPS. Never make API calls over plain HTTP
* **Validate SSL certificates** — ensure your HTTP client verifies SSL certificates to prevent man-in-the-middle attacks

## Frontend Security

If your application has a frontend that interacts with your backend (which then calls the Mufi API):

### Content Security Policy (CSP)

* Enforce a strict CSP to prevent cross-site scripting (XSS) attacks
* Limit permissible JavaScript sources and avoid `unsafe-inline`
* Set appropriate `frame-src` directives if embedding content

### CORS Configuration

* Specify exact origins — avoid wildcards (`*`) in production
* Be especially strict in your production environment (no `localhost` origins)
* Review CORS settings when deploying to new domains

### General

* Implement TLS/HTTPS for all requests from your frontend to your backend
* Avoid open redirects that could be exploited for phishing
* Sanitize all user input before processing

## Incident Response

If a team member's account is compromised:

1. **Immediately regenerate** all API keys for affected projects
2. **Review recent activity** in the Mufi Dashboard for unauthorized actions
3. **Revoke access** for the compromised account
4. **Contact us** at [connect@mufi.app](mailto:connect@mufi.app) if you suspect unauthorized API activity
