How do I test staging without risking prod?

Create separate Qodex environments for staging and production. Then make production read-only, disable destructive tests, and rate-limit it. Qodex reads those constraints before authoring and enforces them during execution.

Recommended production settings

Setting	Recommended value	Why
`read_only`	`true`	Blocks POST, PUT, PATCH, and DELETE.
`allow_destructive_tests`	`false`	Blocks destructive payloads and write-side probes.
`max_requests_per_second`	`5`	Prevents accidental bursts.

With these settings, production can still receive safe checks such as security headers, TLS, CORS, and read-only authorization probes.

Recommended staging settings

Use staging for deeper checks that may create, update, or delete test data.

Setting	Recommended value
`read_only`	`false`
`allow_destructive_tests`	`true`
`max_requests_per_second`	`20`

This is the right place for write-side IDOR, mass assignment, injection checks, and full regression coverage.

Keep credentials separate

Auth profiles are environment-specific. A scenario can ask for the admin profile, but Qodex resolves the actual credentials from the environment selected for that run. Keep staging admin credentials and production admin credentials separate.

If someone targets production by mistake

Production environment constraints still apply. If a scenario tries to mutate production while read_only is enabled, Qodex should block or reduce the run to a safe subset.

Next steps

Auth profiles

Store environment-specific credentials.

Sensitive endpoints

Protect risky routes during testing.

Inverted semantics

Understand security test pass/fail behavior.

OWASP API Top 10

See common API security checks.

How do I scope a scan to one route?My tests are flaky. What does Qodex do about it?

​How do I test staging without risking prod?

​Recommended production settings

​Recommended staging settings

​Keep credentials separate

​If someone targets production by mistake

​Next steps