In placeDokodo
TLS + secure cookies
All production traffic stays on HTTPS with secure cookies and strict environment validation.
Security & trust
Private by default, with controls documented in public.
Dokodo uses secure cookies, CSRF protection, CSP, audit logging, brute-force protection, and optional TOTP two-factor authentication. You should be able to trust the app before you store real inventory in it.
Private by default | No card required | Export anytime
Platform safeguards
What already protects each workspace.
Current controls, not future promises.
In placeDokodo
Content Security Policy
Next.js CSP plus Helmet headers block unexpected scripts, frames, and cross-origin requests.
In placeDokodo
Redis rate limiting
API traffic is throttled with Redis-backed counters that persist across restarts.
In placeDokodo
Session management + audit logs
Users can review active sessions, revoke access, and sensitive actions land in 90-day audit logs.
In placeDokodo
TOTP two-factor authentication
Users can add authenticator-based 2FA, keep recovery codes, and revoking factors also revokes active sessions.
In placeDokodo
Persistent brute-force protection
Failed login attempts are tracked across email and IP with exponential backoff and Redis-backed lockouts.
Operations
Practices that keep data safe.
Security is an operating practice, not a promise page. These notes point back to the same checklist the product follows.
Read the full checklist at docs/ops/32-production-security-checklist.
The broader model lives in docs/architecture/21-security-privacy.
Plain-language stance
You should not have to guess how seriously Dokodo treats the things you store here.
Documented incident response
We publish detect → assess → contain → notify workflows before an incident ever happens.
Monitoring and recovery
The operations checklist covers uptime monitors, error tracking, and daily Postgres backups with retention expectations.
Secret hygiene
JWT secrets, webhook secrets, and database connections all follow strict validation and secure transport rules.
User-controlled trust
Email verification, session review, password-change revocation, and optional 2FA let users protect their workspace.
Need a direct answer?
Need a direct answer about security?
We are happy to explain how cookies, session controls, CSP, and two-factor authentication work in practice. Email hello@dokodo.app and we will answer within one business day.
Private by default | No card required | Export anytime