Security Best Practices

Protect your app, your users, and your data from day one.

Security Is Built In by Default

Every app built on Imagine.bo comes with security best practices applied automatically. You don't need to configure these — they are part of every deployment:

• SSL/HTTPS on all deployed apps — all data in transit is encrypted.
• Data encryption at rest and in transit — your database and API communications are secured.
• Secure authentication and session management — login flows are generated with industry-standard security.
• Role-Based Access Control (RBAC) — user roles and permissions are enforced at the data layer, not just the UI.
• GDPR and SOC 2 readiness foundations — compliance best practices are baked into the deployment architecture.

Define Access Control in Your Prompts

The most effective security measure is specifying correct permissions before the app is generated. Retrofitting access control is harder than building it in from the start.

In every project prompt, define:

• Which user roles exist.
• What data each role can read, write, edit, and delete.
• Which pages or API endpoints are restricted by role.

Example:

There are three roles: Guest (can only view public listings), Member (can create and edit their own listings), and Admin (can edit or delete any listing and manage users). Guests cannot access /dashboard or /settings.

Protect Sensitive Data Fields

When building apps that handle personal information (emails, phone numbers, payment details, health data):

• Prompt Imagine.bo to mask or hide sensitive fields from roles that don't need them.
• Avoid displaying raw sensitive data in admin dashboards unless necessary.
• For payment processing, always use the Assign a Developer feature — payment integrations involve compliance requirements (PCI-DSS) that benefit from human engineering oversight.

Use Strong Authentication Practices

Imagine.bo generates secure authentication out of the box. Reinforce this with good practices in your app design:

• Enable email verification on signup for user-facing apps: Require email verification before a user can access their dashboard.
• Use password reset flows — prompt Imagine.bo to include a "forgot password" flow with email-based reset.
• For sensitive or enterprise apps, consider specifying two-factor authentication (2FA) as a requirement in your initial prompt.

Review Permissions Before Going Live

Before deploying publicly, manually test your app with accounts in each user role:

• Can a Guest access pages they shouldn't?
• Can a standard Member modify or delete another user's data?
• Can unauthenticated users reach authenticated routes by typing URLs directly?

If you find a permissions issue, describe it in a follow-up prompt or assign it to a developer for precise correction.

Keep Third-Party Integrations Secure

When adding third-party APIs (payment providers, analytics tools, external services):

• Never expose secret API keys in frontend code. Use the Assign a Developer feature for integrations that require secure key management.
• Limit the permissions of any API key to only what the integration requires.
• Regularly rotate keys for sensitive services.

Data Ownership and Export

You own your data entirely. Imagine.bo provides easy export capabilities so you are never locked into the platform. For compliance-sensitive projects:

• Export your data regularly as a backup.
• Document what personal data your app collects — this is required for GDPR compliance.
• Use the Assign a Developer feature if you need to implement a formal data deletion or data export workflow for end users (a GDPR "right to erasure" feature).

FAQ