Use public keys in browser and mobile apps only.
Keep secret keys inside trusted server code only.
Add trusted origins before production traffic.
Use private channels for sensitive conversations and account data.
Use presence channels only when online member visibility is needed.
Rotate credentials if a secret may have been exposed.
Review blocked gateway activity from Security Center.
Keep usage limits enabled to protect apps from unexpected traffic.