Security-sensitive defaults should be enforced in generated projects, not only documented.
Generated projects must fail in production when:
SECRET_KEYis still a known placeholderDEBUG=true- CORS allows every origin
DATABASE_URLpoints at local development infrastructure- future cookie auth is enabled without secure cookie settings
The SaaS profile must never store raw refresh tokens. It stores token hashes, rotates refresh tokens, revokes sessions, and keeps password reset and email verification tokens single-use through hashed token models.
Report security issues privately to the maintainer before opening a public issue.