Both cookbook READMEs state that these examples are starting points, not production-ready defaults.
Do not expose cookbook routes publicly until you have added product-specific auth, abuse controls, monitoring, and
data-handling policies.
Required before launch
- Authenticate and authorize every API route with user and tenant checks.
- Apply edge and app rate limiting, throttling, and abuse controls.
- Review CORS and CSRF policies.
- Enforce strict request limits.
- Set up structured logs, error reporting, and alerting for provider failures.
- Store and rotate API keys in managed secret stores.
- Enforce retention, deletion, and sensitive-data sanitization policies.
- Define reliability and cost safeguards, including budgets, retries, and circuit breakers.