Security

Passwords are hashed with bcrypt. Sessions are opaque server-stored tokens with httpOnly + sameSite=Lax cookies.

Signaling tokens are HMAC-SHA256 signed with SESSION_SECRET and scoped to a single call + role + 30 min expiry.

Headers include strict CSP-friendly defaults: X-Content-Type-Options nosniff, X-Frame-Options SAMEORIGIN, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy mic/camera/display-capture=self.

Microphone is only requested at the call moment, never on the marketing pages.

TURN credentials should use short-lived ephemeral creds in production (coturn supports this).