Security
Updated Mar 30, 2026Ship
Security features and best practices for XAIO projects.
Platform Security
Authentication:
- Email + password with strong password enforcement
- Google and GitHub OAuth
- Optional Two-Factor Authentication (2FA)
- Session management with automatic expiry
Data Protection:
- All projects are private by default
- Only you and invited team members have access
- Published sites are public at their *.xaio.app URL
- Source code is stored encrypted at rest
Infrastructure:
- HTTPS everywhere (automatic SSL/TLS)
- AWS infrastructure (ECS, RDS, S3, CloudFront)
- Isolated workspace containers per project
- Regular security updates
Secret Detection
XAIO automatically detects sensitive data in chat messages:
- API keys (OpenAI, Stripe, AWS, etc.)
- Passwords and tokens
- Connection strings
- Private keys
A warning dialog appears before sending. You can mask the secret or cancel.
Environment Variables
Best practices for managing secrets:
- Store API keys in the Environment tab, not in code
- Use separate values for Dev and Prod
- The AI always references env vars, never hardcodes secrets
- Integration-managed vars (DATABASE_URL) are read-only
Team Security
- Role-based access: Owner, Admin, Editor
- Admins can invite and remove members
- Ownership transfer available
- Each team member has an isolated workspace
Published Site Security
- Automatic HTTPS via CloudFront
- CORS headers configured per project
- Backend API endpoints are authenticated by default
- Database connections are encrypted