Lehmam

Security

Lehmam uses a public edge gateway, service-bound private APIs, Turnstile, signed admin sessions, CSRF checks, security headers, and D1-backed audit trails.

• Private API Workers are not routed publicly and still require an internal secret.
• Admin operations are authenticated, role-gated, CSRF-protected, and audited.
• Receive domains cannot be made public unless they are active.