Please read the documentation linked in the ReadMe and you can try out all the security features of the app by spinning it up and configuring with env.template.

If you will read the docs and the code you will read the the auth model, the code around it, the limitation, the clear documentation around token handling, the code to support CORS, trusted host middleware, CSP, HSTS, rate limiting. You can read the env.template and configure and try it out. Please show me vibe coded, ai-assisted or even non vibe coded self hosted existing apps which have these security feature in v0.1 or even later.

Like mentioned in comment and ReadMe the project is written with AI assistance not vibe coded or AI driven development. If you will read the code, look at design and db model you will find the answers you are seeking.