Security baseline
Mandatory controls to run Beacon without exposing secrets or sensitive data.
reference • updated 2026-03-17
Goal
Define the minimum security posture required for every Beacon environment before moving to production.
Mandatory checklist
11) Secrets and credentials
Store secrets in a dedicated vault, rotate automatically, and never expose them in code, logs, or public docs.22) Access and permissions
Enforce least privilege, keeping in mind that the product currently exposes onlyOWNERandADMINroles.33) Event integrity
Enable webhook signature validation, verify timestamp, and enforce idempotency end-to-end.44) Audit and traceability
Guarantee audit trail, retention, and capturecode,nextAction,webhookEventId, andqueueJobIdfor critical operations.55) Incident response
Maintain validated runbooks and escalation contacts.
Control matrix by domain
| Domain | Minimum control | Evidence |
|---|---|---|
| API | Session bearer tokens, explicit org, and membership review | Session policy + access audit logs |
| Webhooks | Signature validation + event.id deduplication + auditable replay | Validation logs + replay checks by webhookEventId |
| Dashboard | MFA and segregation between OWNER and ADMIN | Monthly access review |
| Fiscal | setup-state as the single source of truth, document integrity, and reconciliation | Close report + exception register |
Forbidden patterns
- Real credentials in documentation examples.
- Internal/dev-only endpoints in public docs.
- Full personal data exports through uncontrolled channels.