Current controls
What is already enforced.
- JWT authentication before protected API calls
- Active subscription and expiry checks before config delivery
- Active node status validation before tunnel config is returned
- No private keys hardcoded in application source
- HTTPS on public API and website
- PostgreSQL, Redis, and production health checks in place