MacWatchAi is designed as a private local camera monitor, not as an Internet-facing camera server.

• Keep the default bind address 127.0.0.1 unless you are using a private network such as Tailscale.
• Use a long unique WATCH_PASSWORD.
• Do not use --no-auth outside local-only testing.
• Do not expose the built-in HTTP server directly to the public Internet.
• For remote access, use a VPN/private network or a hardened HTTPS reverse proxy with authentication.
• Keep .env, data/, recordings/, generated APKs, and logs out of Git.
• Do not manually upload the whole working folder to GitHub. Publish through Git with the project .gitignore, or from a clean export.

• Basic authentication is enabled by default.
• If no password is configured, a temporary random password is generated for the session.
• --no-auth is rejected unless the server is bound to a local host.
• State-changing web actions require a per-process CSRF token.
• Repeated failed Basic Auth attempts are temporarily rate limited per client IP.
• Common browser security headers are sent on app responses.
• Android does not ship a default password and has cleartext traffic disabled.

• The built-in server is HTTP only. Use it locally, through a private network, or behind HTTPS.
• The Android companion stores settings in app-private SharedPreferences. Treat rooted or compromised devices as out of scope for v0.1.x.
• Debug APKs are for local testing only and should not be distributed as public releases.

Before publishing a vulnerability, contact the repository owner privately. Replace this line with a real email or GitHub Security Advisory contact before making the repository public.