CHATBOT
Chatbot security checklist
Review before production launch.
Keys
- public_widget only in browser (script, React, anonymous SDK calls).
- secret_server only in backend env vars — never in NEXT_PUBLIC_*.
- No StartupCore Internal keys in customer deployments.
Domains and publish
- allowedDomains lists every production origin.
- Bot published after knowledge review.
- Knowledge reviewed for PII and incorrect answers.
Private actions
- Private intents require authenticated widget session.
- Webhook signature verification enabled on your endpoint.
- Idempotency enforced for action handlers.
Limits
- Rate limits understood for widget and API.
- Usage/plan limits reviewed for expected traffic.