Dashboard security is not only infrastructure. Correct role assignment, regular access cleanup and careful export controls are the foundation of daily security.
Security is not a single measure but a multi-layered discipline. One gap weakens the chain; multiple layers protect it.
Role-based access
Every API and panel screen should be scoped by restaurant access. Owners should see only their restaurants; managers should see their assigned restaurant.
Operational habits
- Do not share passwords.
- Revoke access for former employees.
- Do not keep export files on local devices longer than needed.
- Limit superadmin access.
Environment variables
In production, JWT_SECRET must be strong and unique. API keys and service accounts should stay server-side only.
Kontrol listesi / Checklist
- JWT_SECRET is set in production.
- Superadmin count is minimal.
- Manager restaurant scope is correct.
- Export permissions are limited.
- Former team members were removed.
SSS / FAQ
Should the JWT fallback be used in production?
No. Always set a strong JWT_SECRET in production.
Can everyone export CSV files?
No. Exports should be limited by role and restaurant scope.