Use environment variables or IBM Secrets Manager for API keys (never hardcode) Run behind a reverse proxy (Nginx/Caddy) with HTTPS Enable rate limiting (Flask-Limiter) for /api/chat Set up monitoring ...