In placeDokodo
TLS + secure cookies
All production environments enforce HTTPS, `COOKIE_SECURE`, and strict environment validation so tokens never travel in plain text.
Security & trust
Operational transparency for every workspace.
Dokodo ships with audited auth, CSP, rate limiting, and audit logging. We publish the checklist so you always know how data is protected.
Checking your workspace…
Questions? Email hello@dokodo.app.
Platform safeguards
What is already in place.
These controls shipped during the December 2024 security audit and now gate every production deploy.
In placeDokodo
Content Security Policy
Next.js CSP plus Helmet headers block unexpected scripts, frames, and cross-origin requests per docs/ops/32-production-security-checklist.
In placeDokodo
Redis rate limiting
API traffic is throttled with Redis-backed counters that persist across restarts to contain brute-force attempts.
In placeDokodo
Session management + audit logs
Users can see active sessions, revoke access, and every sensitive action (password, deletion) lands in AuditLog with 90-day retention.
Operations
Practices that keep data safe.
Security is not a single feature—it is a set of ongoing rituals, all documented in ops runbooks.
Incident response
We document detect → assess → contain → notify workflows so the team can act quickly if something looks off.
Monitoring & backups
The ops checklist covers uptime monitors, error tracking, and daily Postgres backups with 30-day retention.
Secret hygiene
JWT secrets require 48+ bytes entropy and rotate quarterly; database connections enforce SSL (`sslmode=require`).
Email verification
New accounts verify email and password changes revoke all active sessions to prevent takeovers.
Read the full checklist at docs/ops/32-production-security-checklist.
Roadmap
What we are building next.
Security is iterative. These items are in flight as we expand paid plans.
File upload scanning
Integrate antivirus scanning (ClamAV or hosted) before accepting new media uploads.
Persistent brute force detection
Redis-backed tracking of failed logins per identity to complement throttling.
Two-factor authentication
Optional TOTP for Pro/Team accounts once subscription billing goes live.
Automated dependency alerts
CI-enforced Dependabot/Snyk policies for both frontend and backend packages.
Need a security review call?
We are happy to walk through architecture, SOC 2 planning, or custom terms. Email hello@dokodo.app and we will reply within one business day.
Checking your workspace…