Security Best Practices

Most incidents aren't sophisticated attacks. They're a shared password, a committed key, or an old contractor account nobody deactivated. The fixes are boring. They work.

Account basics

Use a strong, unique password. ArtistGuard hashes passwords with bcrypt so we can't read yours, but a weak password is still vulnerable if someone targets your account directly.

Don't share your login. Invite teammates via Dashboard > Organization instead. Everyone gets their own account, their own session, and their own audit trail.

Check your active sessions occasionally. Under Dashboard > Settings you'll see every device and location your account is signed in from. Anything look wrong? Revoke that session right away.

API key hygiene

Never put keys in your code. Not in source files, not in config files you commit.

# wrong
ARTISTGUARD_KEY="ag_live_xK3m..."

# right
export ARTISTGUARD_API_KEY="ag_live_xK3m..."

One key per integration. If one system is compromised, revoke one key. Not the key shared by three other things.

Set expiry dates for temporary access. Contractor finishing up? Set the key expiry to match. When the engagement ends, the key is already dead.

What ArtistGuard does on its end

• Passwords hashed with bcrypt, unrecoverable even by us
• Session tokens hashed before storage
• API keys hashed on creation, full value returned once and never stored in plaintext
• All traffic over HTTPS via Cloudflare, which also handles DDoS protection
• Database not publicly accessible, Cloudflare Tunnel routes requests without exposing ports

Permissions

Members you invite can see artists, changes, and the dashboard. Only the organization creator can manage alert rules and API keys.

API keys belong to the organization. If someone leaves, their sessions are revoked but any keys they created stay active until you revoke them manually.

Found a vulnerability?

Email [email protected] with as much detail as possible.