Security Policies

Security is a first-class concern at Acme. This document outlines our security practices and policies for the API platform.

All API communication must use HTTPS. Authentication is handled via short-lived JWT access tokens (15 min) with refresh token rotation. API keys are hashed with bcrypt before storage and are only displayed once at creation time. We enforce CORS policies that restrict origins to known client domains.

Dependency vulnerabilities are scanned daily with Snyk. Critical vulnerabilities must be patched within 24 hours. High severity within 72 hours. All dependencies are pinned to exact versions and updated through automated PRs that run the full test suite.