# Security & Secrets Policy

- **Do not commit secrets**: passwords, AWS access keys, tokens, private keys.
- Use **IAM roles** on EC2 instead of static access keys where possible.
- If you must use static keys locally, store them in `.env` and keep `.env` out of version control.
- Rotate any credentials that were ever pasted into docs or terminals.
- Review commits before pushing (e.g., `git log -p`, `git diff --staged`).

If a secret was accidentally committed:
1. Rotate/revoke it in the provider immediately.
2. `git filter-repo` or GitHub/Gitea security tools to purge from history.
3. Force-push a corrected history.