2405 Security Best Practices
Security Best Practices
Introduction
Security is not a feature you add at the end - it's a fundamental aspect of application design that must be considered at every level. In this article, you'll learn enterprise-grade security practices, understand Tadabase's security architecture, and implement comprehensive security measures to protect your application and its data.
Security Layers in Tadabase
Tadabase implements security through multiple layers, creating a defense-in-depth approach.
1. Infrastructure Security
Provided automatically by Tadabase:
- Cloud Hosting - AWS infrastructure with built-in security
- DDoS Protection - Protection against denial-of-service attacks
- SSL/TLS Encryption - All data encrypted in transit
- Database Encryption - Data encrypted at rest
- Regular Backups - Automatic daily backups
- Uptime Monitoring - 99.9% uptime guarantee
- Security Patches - Regular platform updates
2. Platform Security
Built into Tadabase:
- SQL Injection Prevention - Automatic query sanitization
- XSS Protection - Cross-site scripting prevention
- CSRF Protection - Cross-site request forgery prevention
- Input Validation - Automatic data validation
- Session Management - Secure session handling
- Password Hashing - Passwords encrypted with bcrypt
3. Application Security
What you configure:
- User Authentication - Login requirements and methods
- Role-Based Access - Page and component permissions
- Page Rules - Conditional access control
- Field Permissions - Control data visibility
- Record Ownership - User-specific data access
- Builder Access - Who can edit the application
4. Data Security
How you protect data:
- Data Isolation - Separating user/tenant data
- Sensitive Field Handling - Protecting confidential information
- Audit Trails - Tracking data changes
- Export Controls - Limiting data export
- Data Validation - Ensuring data integrity
The Principle of Least Privilege
Least privilege means giving users only the minimum access necessary to perform their job.
Why Least Privilege Matters
- Limits Damage - If account is compromised, damage is contained
- Reduces Errors - Users can't accidentally modify data they shouldn't
- Compliance - Required by many regulations (HIPAA, SOC 2, etc.)
- Audit Trail - Easier to track who did what
- Data Protection - Sensitive data exposed to fewer people
Implementing Least Privilege
Start with Minimum Access
- Create roles with minimal permissions
- Add permissions only as needed
- Document why each permission was granted
- Review and remove unnecessary permissions
Example: CRM Access Levels
| Role | Access Level | Justification |
|---|---|---|
| Sales Rep | Own leads only | Need to work their pipeline |
| Sales Manager | Team leads | Need to oversee team performance |
| VP Sales | All sales data | Need complete visibility |
| Support | Customer data (read-only) | Need info to help customers |
| Admin | Everything | System administration |
Avoid These Common Mistakes
- Making everyone an admin "for convenience"
- Giving access "just in case they need it"
- Sharing admin credentials among multiple people
- Not removing access when roles change
- Granting permanent access for temporary needs
Password Security
Strong password policies are your first line of defense.
Password Requirements
Minimum Standards
Configure in Settings → Users → Security:
- Minimum Length - At least 8 characters (12+ for sensitive apps)
- Complexity - Require mix of:
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Numbers (0-9)
- Special characters (!@#$%)
- No Common Passwords - Block "password", "123456", etc.
- No Personal Info - Block name, email, birthday in password
Password Expiration
For high-security applications:
- Expiration Period - Force password change every 90 days
- Password History - Prevent reusing last 5 passwords
- Expiration Notice - Warn users 7 days before expiration
- Grace Period - Allow login for X days after expiration to change password
Account Lockout
Protect against brute force attacks:
- Failed Attempts Threshold - Lock after 5 failed login attempts
- Lockout Duration - 15-30 minutes
- Auto-Unlock - Automatic unlock after duration
- Manual Unlock - Admin can unlock accounts
- Notification - Email user when account is locked
Password Best Practices
- Never store passwords in plain text (Tadabase encrypts automatically)
- Never email passwords to users
- Use password reset, not password retrieval
- Require password change on first login (for admin-created accounts)
- Provide password strength indicator during creation
- Consider using passphrases instead of passwords
Multi-Factor Authentication (MFA)
MFA adds significant security by requiring multiple verification methods.
Why Use MFA?
- Stops 99.9% of Account Compromises - Even if password is stolen
- Compliance Requirement - Required by many regulations
- Protects Sensitive Data - Extra layer for critical systems
- Remote Access Security - Essential for remote workers
When to Require MFA
- Administrative Access - Always require for admins
- Sensitive Data - Healthcare, financial, personal data
- Remote Access - Users accessing from outside network
- High-Value Accounts - Executive accounts, finance users
- Compliance - Industry regulations (HIPAA, PCI-DSS)
MFA Implementation
Option 1: Required for All Users
- Enable in Settings → Users → Security
- All users must set up MFA
- Provide grace period for setup (e.g., 7 days)
- Users cannot access app until MFA is configured
Option 2: Required for Specific Roles
- Require only for Admin and Manager roles
- Optional for regular users
- Balances security with usability
Option 3: Optional but Encouraged
- Make MFA available but not required
- Encourage users to enable it
- Provide incentives (e.g., higher data limits)
MFA Recovery
Plan for users losing access to MFA device:
- Backup Codes - Provide one-time recovery codes
- Admin Override - Admins can temporarily disable MFA
- Verification Process - Verify user identity before disabling
- Re-enable MFA - Require setting up new MFA method
Session Management
Proper session management prevents unauthorized access.
Session Timeout
Automatically log out inactive users:
- Inactivity Timeout - Log out after 30-60 minutes of inactivity
- Absolute Timeout - Force logout after X hours regardless of activity
- Warning - Warn users before timeout ("You'll be logged out in 5 minutes")
- Save Work - Auto-save before logout to prevent data loss
Session Settings
Configure in Settings → Users → Session:
| Setting | Low Security | Medium Security | High Security |
|---|---|---|---|
| Inactivity Timeout | 24 hours | 2 hours | 15 minutes |
| Absolute Timeout | 7 days | 8 hours | 4 hours |
| Remember Me | Enabled | Disabled | Disabled |
| Concurrent Sessions | Allowed | Limited (3) | Single only |
Concurrent Session Control
- Allow Multiple - User can be logged in from multiple devices
- Limit Number - Max 3 concurrent sessions
- Single Session - New login logs out previous session
- Session List - Show users their active sessions
- Remote Logout - Allow users to end other sessions
Data Encryption
Tadabase encrypts your data automatically, but you should understand how it works.
Encryption at Rest
Data stored in the database:
- Automatic - All data encrypted on disk
- AES-256 Encryption - Industry-standard encryption
- Database Level - Entire database encrypted
- Backup Encryption - Backups also encrypted
Encryption in Transit
Data traveling between browser and server:
- SSL/TLS - All connections use HTTPS
- TLS 1.2+ - Modern encryption protocols
- Certificate Validation - Automatic certificate management
- Custom Domains - SSL works with your domain
Field-Level Encryption
For extra-sensitive fields (available on higher-tier plans):
- Encrypted Fields - Specific fields encrypted with separate keys
- Credit Card Numbers - PCI-compliant encryption
- SSNs - Additional encryption layer
- Health Records - HIPAA-compliant encryption
Password Encryption
- One-Way Hashing - Passwords cannot be decrypted
- Bcrypt Algorithm - Industry-standard hashing
- Salt + Hash - Unique salt for each password
- Never Stored Plain Text - Impossible to retrieve original password
Builder Access Controls
Control who can edit your application.
Builder Permissions
App Owner
- Full control over the application
- Can add/remove builders
- Can delete the application
- Billing and subscription management
Builder (Full Access)
- Can modify data structure
- Can create/edit pages
- Can configure settings
- Can manage users
- Cannot delete app
- Cannot manage billing
Builder (Limited Access)
- Can edit specific pages only
- Cannot modify data structure
- Cannot access settings
- Cannot manage users
- Good for contractors or limited team members
Managing Builders
- Go to Settings → Builders
- Click "Add Builder"
- Enter builder's email address
- Select permission level
- Send invitation
- Builder receives email with access link
Builder Best Practices
- Limit Builders - Only give builder access to those who need it
- Use Limited Access - Don't give full access if not needed
- Remove Access - Remove builders when they leave team
- Separate Accounts - Don't share builder credentials
- Audit Changes - Review builder activity regularly
- Use Staging - Test changes in staging before applying to production
Builder Audit Trail
Track what builders change:
- Change Log - View history of builder modifications
- Who Changed What - See which builder made each change
- When Changed - Timestamp of modifications
- Restore Previous - Revert to earlier versions if needed
Audit Logging
Audit logs track who did what and when.
What to Log
- User Logins - Track all authentication attempts
- Failed Logins - Suspicious activity
- Data Changes - Who created/modified/deleted records
- Permission Changes - Role assignments and modifications
- Exports - Who exported data
- Configuration Changes - Builder modifications
Implementing Audit Logging
Automatic Logging
Tadabase automatically logs:
- User login history
- Record creation (Created By, Created Date)
- Record modifications (Modified By, Modified Date)
- API access logs
Custom Audit Fields
Add audit fields to important tables:
- Created By - Connection to Users (auto-fill with logged-in user)
- Created Date - Date/Time (auto-fill with current date)
- Modified By - Connection to Users (update on edit)
- Modified Date - Date/Time (update on edit)
- Status Changes - Log when status changes
- Approval History - Who approved and when
Detailed Audit Tables
For high-security applications, create dedicated audit tables:
- Create "Audit Log" table
- Fields: User, Action, Table, Record ID, Old Value, New Value, Timestamp
- Use record rules to automatically log changes
- Create audit report pages
Login History
View user login activity:
- Go to Settings → Users
- Select a user
- View Login History
- See: Date/Time, IP Address, Location, Device
Reviewing Audit Logs
- Regular Reviews - Check logs weekly or monthly
- Look for Anomalies - Unusual access patterns
- Failed Logins - Multiple failures = possible attack
- After-Hours Access - Logins at unusual times
- Bulk Exports - Large data exports
- Permission Changes - Unexpected role changes
Data Privacy and Compliance
Protect user privacy and meet regulatory requirements.
GDPR (General Data Protection Regulation)
If you have EU users:
- Consent - Get explicit consent to collect data
- Data Minimization - Only collect necessary data
- Right to Access - Users can request their data
- Right to Delete - Users can request data deletion
- Data Portability - Export user data on request
- Privacy Policy - Clear explanation of data usage
- Breach Notification - Report breaches within 72 hours
HIPAA (Healthcare)
For healthcare applications:
- BAA Required - Business Associate Agreement with Tadabase
- Encryption - All data encrypted (provided automatically)
- Access Controls - Strict user permissions
- Audit Logs - Comprehensive logging
- Minimum Necessary - Least privilege access
- Secure Communication - Encrypted emails
- Training - Staff HIPAA training
PCI DSS (Payment Card Data)
If handling credit cards:
- Never Store CVV - Card verification codes cannot be stored
- Encrypt Card Numbers - Use encrypted fields
- Limit Access - Minimal people can see card data
- Use Payment Gateway - Let Stripe/PayPal handle cards directly
- Regular Scans - Security vulnerability scanning
- Compliance Validation - Annual PCI assessment
SOX (Financial)
For public companies:
- Access Controls - Documented permissions
- Audit Trails - Complete activity logging
- Separation of Duties - No single person controls entire process
- Change Management - Documented approval for changes
- Regular Reviews - Periodic access audits
Implementing Compliance
- Identify Requirements - Determine which regulations apply
- Document Policies - Create security and privacy policies
- Configure Security - Implement appropriate controls
- Train Users - Educate on compliance requirements
- Regular Audits - Verify ongoing compliance
- Update as Needed - Adjust for regulation changes
Secure API Access
If you expose your app via API, secure it properly.
API Authentication
- API Keys - Required for all API calls
- Key Rotation - Change keys periodically
- Key per Integration - Separate key for each external system
- Revoke Compromised Keys - Immediately disable if leaked
API Permissions
- Read vs. Write - Limit API to necessary operations
- Table Access - Restrict which tables API can access
- Rate Limiting - Prevent API abuse
- IP Whitelisting - Only allow from known IPs
API Logging
- Log all API requests
- Track: Who, What, When, Source IP
- Monitor for unusual activity
- Alert on failed authentication attempts
API security is covered in detail in Phase 7.
Security Testing
Test your security regularly.
Access Control Testing
- Create Test Users - One for each role
- Test Each Role - Verify they see only what they should
- Try to Break It - Attempt to access restricted pages via URL
- Test Edge Cases - What if user has no role? No department?
- Test Transitions - Change user roles and verify access updates
Data Isolation Testing
- Create Test Data - For different users/tenants
- Log in as Each User - Verify they see only their data
- Try Cross-Access - Can users access others' data via URL?
- Test Filters - Verify data filtering works correctly
- Test Reports - Check exported data for leaks
Authentication Testing
- Test Login - Verify login works
- Test Logout - Verify session ends
- Test Password Reset - Complete password reset flow
- Test Failed Logins - Verify lockout works
- Test Session Timeout - Verify auto-logout works
Penetration Testing
For high-security applications:
- Hire security professionals
- Conduct regular penetration tests
- Address discovered vulnerabilities
- Document findings and remediation
Incident Response
Have a plan for security incidents.
Security Incident Plan
1. Preparation
- Document incident response procedures
- Identify incident response team
- Keep emergency contact list
- Have Tadabase support contact ready
2. Detection
- Monitor audit logs
- Watch for suspicious activity
- User reports of unusual behavior
- Automated alerts for anomalies
3. Containment
- Disable compromised accounts immediately
- Change API keys if exposed
- Restrict access to affected resources
- Prevent further damage
4. Investigation
- Review audit logs
- Determine scope of breach
- Identify what data was accessed
- Find how breach occurred
5. Remediation
- Close security gap
- Update permissions
- Reset passwords if needed
- Implement additional controls
6. Notification
- Notify affected users (if required)
- Report to authorities (if required by regulation)
- Document incident
- Update policies
Common Security Incidents
| Incident | Response |
|---|---|
| Lost password | User resets via email |
| Account locked | Admin unlocks or auto-unlock after timeout |
| Compromised account | Disable account, force password reset, review activity |
| API key leaked | Revoke key immediately, generate new key, review API logs |
| Data export concerns | Review who exported, what data, restrict export permissions |
| Unauthorized access attempt | Review logs, strengthen access controls, monitor user |
Security Checklist
Use this checklist before launching your application:
Authentication & Access
- ☐ Strong password requirements enabled
- ☐ Account lockout configured
- ☐ Session timeout set appropriately
- ☐ MFA enabled for administrators
- ☐ Email verification enabled (if public signup)
- ☐ Password reset flow tested
Roles & Permissions
- ☐ Roles defined following least privilege
- ☐ Page permissions configured for all pages
- ☐ Component permissions set where needed
- ☐ Field permissions configured for sensitive data
- ☐ Data filters implemented for isolation
- ☐ All roles tested with test users
Data Security
- ☐ Sensitive fields identified and protected
- ☐ Audit fields added to important tables
- ☐ Record ownership implemented where needed
- ☐ Data export permissions restricted
- ☐ No sensitive data in URLs or logs
Builder Access
- ☐ Builder access limited to necessary people
- ☐ No shared builder accounts
- ☐ Former team members removed
- ☐ Change log reviewed
Compliance
- ☐ Privacy policy created and linked
- ☐ Terms of service created
- ☐ Regulatory requirements identified
- ☐ Required consents obtained
- ☐ Data retention policy documented
Monitoring & Response
- ☐ Audit logging enabled
- ☐ Regular log review scheduled
- ☐ Incident response plan documented
- ☐ Security contact identified
- ☐ Backup and recovery tested
Testing
- ☐ Tested with each user role
- ☐ Attempted unauthorized access
- ☐ Verified data isolation
- ☐ Tested all authentication flows
- ☐ Had others test (fresh perspective)
Summary
In this article, you learned:
- Security layers - Defense in depth with multiple security levels
- Least privilege - Giving users minimum necessary access
- Password security - Strong requirements and policies
- Multi-factor authentication - Adding extra verification layer
- Session management - Controlling user sessions securely
- Data encryption - How Tadabase protects data
- Builder access - Controlling who can edit applications
- Audit logging - Tracking user activity
- Compliance - Meeting regulatory requirements
- Security testing - Verifying your security implementation
- Incident response - Handling security events
Security is not something you add at the end - it must be built into your application from the ground up. By following these best practices, you'll create applications that protect user data and meet professional security standards.
In the next article, you'll learn about record ownership - implementing user-specific data access and record-level security.
Next: Record Ownership - Implementing Record-Level Security
Hands-On Exercise (To Be Added)
Exercise placeholders will include practical activities such as:
- Configuring password requirements
- Setting up session timeout
- Implementing audit fields
- Creating security test users
- Testing access controls thoroughly
- Completing security checklist
Knowledge Check (To Be Added)
Quiz questions will test understanding of:
- Layers of security in Tadabase
- Principle of least privilege
- Password security best practices
- When to use MFA
- Compliance requirements
- Security testing approaches
We'd love to hear your feedback.