Security baseline
Mandatory controls to run Beacon without exposing secrets or sensitive data.
reference • updated 2026-03-15
Goal
Define the minimum security posture required for every Beacon environment before moving to production.
Mandatory checklist
11) Secrets and credentials
Store secrets in a dedicated vault, rotate automatically, and never expose them in code, logs, or public docs.22) Access and permissions
Enforce least privilege per persona, run periodic role reviews, and remove orphaned access.33) Event integrity
Enable webhook signature validation, verify timestamp, and enforce idempotency end-to-end.44) Audit and traceability
Guaranteerequest_id, audit trail, and minimum retention for investigations.55) Incident response
Maintain validated runbooks and escalation contacts.
Control matrix by domain
| Domain | Minimum control | Evidence |
|---|---|---|
| API | Short-lived tokens, organization-level scopes | Token policy + issuance logs |
| Webhooks | Signature validation + safe replay | Validation logs + replay tests |
| Dashboard | MFA and segregation of duties | Monthly access review |
| Fiscal | Document integrity + reconciliation | Close report + exception register |
Forbidden patterns
- Real credentials in documentation examples.
- Internal/dev-only endpoints in public docs.
- Full personal data exports through uncontrolled channels.