# Security

# Security

This page describes security concepts and operational practices for Curiosity Workspace deployments. Because security requirements differ by organization, treat this as a baseline and align it with your internal policies.

# Security domains

• Identity and authentication
  • how users log in and how sessions are managed
• Authorization
  • what users can see and do (roles, permissions, access control)
• Data protection
  • encryption at rest and in transit
  • backups and retention
• Operational security
  • secrets management
  • patching and vulnerability management
• Audit and monitoring
  • logs and traces for security-relevant events

# Recommended baseline practices

• TLS everywhere for all UI and API traffic.
• Store tokens and credentials in a secret manager (never in source control).
• Use least privilege for API tokens and endpoint tokens.
• Separate environments: dev, staging, prod.
• Use restricted admin access and require stronger authentication for admins.

# Endpoint security

If you expose custom endpoints to external callers:

• require endpoint tokens
• validate inputs and enforce request limits
• avoid exposing admin-only functionality externally
• log access and failures

See APIs & Extensibility → Custom Endpoints.

# Next steps

• Configure authorization boundaries: Permissions
• Set up operational controls: Deployment