# Security Notes

Before production, protect these files:

- `controller.php`
- `api.php`
- `upload.php`
- `sse.php`
- `/data/`
- `/templates/` if snapshots are writable

Minimum Apache `.htaccess` idea for controller/API protection:

```apache
AuthType Basic
AuthName "Itahuka Graphics Control"
AuthUserFile /home/YOUR_CPANEL_USER/.htpasswd
Require valid-user
```

Keep `output.php` accessible only to your production computers when possible.

Upload restrictions are basic. For public servers, also enforce:

- Strict authentication
- File size limits at web server level
- Virus scanning if external people upload files
- Disable PHP execution inside `assets/uploads/`