Security¶
Security guidance for protecting credentials and data in Dango projects.
Overview¶
This section covers:
- How Dango handles credentials securely
- What you need to do to protect your data
- Best practices for production deployments
Security Model¶
What Dango Handles¶
Dango implements several security measures automatically:
| Feature | Description |
|---|---|
| Credential Storage | API keys stored in .dlt/secrets.toml |
| OAuth Tokens | Tokens stored in secrets.toml (optionally encrypted) |
| Credential Masking | Secrets masked in logs |
| Local Storage | Data stays on your machine |
What You Must Do¶
Security is a shared responsibility:
| Your Responsibility | How |
|---|---|
| Protect API keys | Never commit to git |
| Secure secrets.toml | Add to .gitignore |
| Control access | Limit who has project access |
| Backup securely | Encrypt sensitive backups |
Security Guides¶
-
Credential Management
How Dango stores and manages API keys and credentials.
-
OAuth Tokens
OAuth token lifecycle and security considerations.
-
Best Practices
Security best practices for Dango projects.
Quick Security Checklist¶
Before Starting¶
- Create
.gitignorewith credential patterns - Understand where secrets are stored
- Plan credential rotation strategy
During Development¶
- Use environment variables for sensitive values
- Never hardcode credentials
- Review commits before pushing
For Production¶
- Change default Metabase password
- Secure backup storage
- Limit access to project directory
- Monitor for credential exposure
Security Boundaries¶
In Scope (This Documentation)¶
- Credential storage mechanisms
- OAuth token handling
- Git security patterns
- Secrets management
Out of Scope¶
Dango is a local-first MVP. The following are not currently covered:
- Network security (Dango runs locally)
- Database access control (DuckDB is single-user)
- Enterprise authentication (SSO, LDAP)
- Audit logging for compliance
These features may be added in future cloud-enabled versions.
Reporting Security Issues¶
If you discover a security vulnerability:
- Do not open a public GitHub issue
- Email security concerns to the maintainers
- Include reproduction steps
- Allow time for a fix before disclosure
Next Steps¶
- Credential Management - How credentials are stored
- OAuth Tokens - Token security details
- Best Practices - Security recommendations