Beacon

Security baseline

View as Markdown

Security baseline

Mandatory controls to run Beacon without exposing secrets or sensitive data.

reference • updated 2026-03-17

Goal

Define the minimum security posture required for every Beacon environment before moving to production.

Mandatory checklist

  1. 11) Secrets and credentials

    Store secrets in a dedicated vault, rotate automatically, and never expose them in code, logs, or public docs.
  2. 22) Access and permissions

    Enforce least privilege, keeping in mind that the product currently exposes only OWNER and ADMIN roles.
  3. 33) Event integrity

    Enable webhook signature validation, verify timestamp, and enforce idempotency end-to-end.
  4. 44) Audit and traceability

    Guarantee audit trail, retention, and capture code, nextAction, webhookEventId, and queueJobId for critical operations.
  5. 55) Incident response

    Maintain validated runbooks and escalation contacts.

Control matrix by domain

DomainMinimum controlEvidence
APISession bearer tokens, explicit org, and membership reviewSession policy + access audit logs
WebhooksSignature validation + event.id deduplication + auditable replayValidation logs + replay checks by webhookEventId
DashboardMFA and segregation between OWNER and ADMINMonthly access review
Fiscalsetup-state as the single source of truth, document integrity, and reconciliationClose report + exception register

Forbidden patterns

  • Real credentials in documentation examples.
  • Internal/dev-only endpoints in public docs.
  • Full personal data exports through uncontrolled channels.