In placeDokodo
TLS + secure cookies
All production environments enforce HTTPS, `COOKIE_SECURE`, and strict environment validation so tokens never travel in plain text.
Security & trust
Private by default, with controls documented in public.
Dokodo uses secure cookies, CSRF protection, CSP, audit logging, brute-force protection, and optional TOTP two-factor authentication. These are the controls in place today.
Private by default | No card required | Shared editing on Team
Current posture
TOTP is available
Audit retention
90 days for sensitive events
Rate limiting
Redis-backed and persistent
TOTP is available, audit logs retain 90 days of sensitive events, and brute-force protection persists through Redis-backed rate limiting.
Platform safeguards
What already protects each workspace.
These are current controls, not promises. They are documented in the security model and production checklist that gate the platform today.
In placeDokodo
Content Security Policy
Next.js CSP plus Helmet headers block unexpected scripts, frames, and cross-origin requests per docs/ops/32-production-security-checklist.
In placeDokodo
Redis rate limiting
API traffic is throttled with Redis-backed counters that persist across restarts to contain brute-force attempts.
In placeDokodo
Session management + audit logs
Users can see active sessions, revoke access, and every sensitive action (password, deletion) lands in AuditLog with 90-day retention.
In placeDokodo
TOTP two-factor authentication
Users can add authenticator-based 2FA, store recovery codes, and revoking or regenerating factors also revokes active sessions.
In placeDokodo
Persistent brute-force protection
Failed login attempts are tracked across email and IP with exponential backoff, lockouts, and Redis persistence across restarts.
Operations
Practices that keep data safe.
Security is an ongoing operating practice. These notes point back to the same checklist the product follows.
Read the full checklist at docs/ops/32-production-security-checklist.
The broader model lives in docs/architecture/21-security-privacy.
Plain-language stance
The point is to make security posture inspectable before somebody stores real inventory data here.
Documented incident response
We publish detect → assess → contain → notify workflows so the response path is explicit before an incident ever happens.
Monitoring and recovery
The operations checklist covers uptime monitors, error tracking, and daily Postgres backups with retention expectations already defined.
Secret hygiene
JWT secrets, webhook secrets, and database connections follow explicit environment validation and secure transport requirements.
User-controlled trust
Email verification, session review, password-change session revocation, and optional 2FA let users actively protect their own workspace.
Need a direct answer about security?
We are happy to explain how cookies, CSP, session controls, and two-factor authentication work in practice. Email hello@dokodo.app and we will reply within one business day.
Private by default | No card required | Shared editing on Team