> ## Documentation Index
> Fetch the complete documentation index at: https://qodex.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# How do I test staging without risking prod?

> Use separate environments, read-only production rules, auth profiles, and rate limits to keep production safe.

# How do I test staging without risking prod?

Create separate Qodex environments for staging and production.

Then make production read-only, disable destructive tests, and rate-limit it. Qodex reads those constraints before authoring and enforces them during execution.

## Recommended production settings

| Setting                   | Recommended value | Why                                                |
| ------------------------- | ----------------- | -------------------------------------------------- |
| `read_only`               | `true`            | Blocks POST, PUT, PATCH, and DELETE.               |
| `allow_destructive_tests` | `false`           | Blocks destructive payloads and write-side probes. |
| `max_requests_per_second` | `5`               | Prevents accidental bursts.                        |

With these settings, production can still receive safe checks such as security headers, TLS, CORS, and read-only authorization probes.

## Recommended staging settings

Use staging for deeper checks that may create, update, or delete test data.

| Setting                   | Recommended value |
| ------------------------- | ----------------- |
| `read_only`               | `false`           |
| `allow_destructive_tests` | `true`            |
| `max_requests_per_second` | `20`              |

This is the right place for write-side IDOR, mass assignment, injection checks, and full regression coverage.

## Keep credentials separate

Auth profiles are environment-specific.

A scenario can ask for the `admin` profile, but Qodex resolves the actual credentials from the environment selected for that run. Keep staging admin credentials and production admin credentials separate.

## If someone targets production by mistake

Production environment constraints still apply.

If a scenario tries to mutate production while `read_only` is enabled, Qodex should block or reduce the run to a safe subset.

## Next steps

<CardGroup cols={2}>
  <Card title="Auth profiles" icon="key" href="/api-testing-auth-profiles">
    Store environment-specific credentials.
  </Card>

  <Card title="Sensitive endpoints" icon="lock" href="/security-testing-sensitive-endpoints">
    Protect risky routes during testing.
  </Card>

  <Card title="Inverted semantics" icon="arrows-up-down" href="/security-testing-inverted-semantics">
    Understand security test pass/fail behavior.
  </Card>

  <Card title="OWASP API Top 10" icon="list-ordered" href="/security-testing-owasp-api-top-10">
    See common API security checks.
  </Card>
</CardGroup>
