Security Policy Report vulnerabilities privately via security advisories on GitHub. Avoid committing secrets. Use .env files locally, never in Git. Images should run as non-root when possible; include a healthcheck.