If EZTUTOR_API_KEY is set, all /api routes require x-api-key.

• Auth uses JWTs signed with JWT_SECRET.
• Store tokens in secure client storage and send Authorization: Bearer <token>.
• Rotate JWT secrets if a leak is suspected.

API requests are rate-limited (100 requests per 15 minutes per IP).

Server validates required fields, types, and max lengths for lesson and quiz input. Auth inputs enforce basic password length and email format checks. Support submissions validate required fields before processing.

Passwords are hashed using bcryptjs before being stored in Postgres.

• Use a least-privilege Postgres user for the app.
• Keep DB credentials out of source control and rotate regularly.
• Require TLS (DB_SSL=true) for managed databases in production.

• Rotate Groq API keys regularly.
• Store secrets in environment variables only.
• Enable HTTPS in production.
• Avoid collecting student PII unless necessary.