Appearance
Security
Truetask is built for environments where data security and compliance are non-negotiable. All security controls are available out of the box — no additional modules or paid add-ons required.
TLS / HTTPS
Truetask does not manage TLS certificates. TLS termination is the responsibility of your infrastructure — reverse proxy, load balancer, or cloud provider. This is by design: enterprise deployments typically use internal CAs, corporate certificates, or managed TLS services.
Truetask sets the following security headers automatically:
Strict-Transport-Security: max-age=31536000; includeSubDomainsContent-Security-Policy: default-src 'self'; ...X-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: strict-origin-when-cross-origin
Ensure your reverse proxy terminates TLS before forwarding traffic to Truetask's HTTP port.
Password policy
Truetask enforces password complexity on all accounts:
- Minimum 10 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one digit
These rules are enforced server-side on account creation and password changes.
Rate limiting
Enable API rate limiting to protect against brute-force attacks. Recommended for any instance exposed to the internet or accessible outside your private network. Configure during the setup wizard or set in .env:
POCKETBASE_RATE_LIMIT_ENABLED=trueSettings encryption
When enabled during setup, Truetask encrypts sensitive settings (SMTP credentials, OAuth secrets) stored in the database using the PB_ENCRYPTION_KEY. This protects against data exposure if the database file is accessed directly.
Encryption key is permanent
The encryption key cannot be changed after the database is initialized. Changing it makes all encrypted settings unreadable. Choose carefully during initial setup.
Encryption at rest
Truetask stores data in a SQLite database on disk. The application does not encrypt this file. You are responsible for encryption at rest on the host.
| Platform | Method | Overhead |
|---|---|---|
| Linux | LUKS/dm-crypt on the data volume | ~3-5% |
| MacOS | FileVault | Negligible |
| Windows | BitLocker | Negligible |
| AWS | EBS volume encryption | ~1-2% |
| GCP | Encrypted by default | None |
| Azure | Azure Disk Encryption | ~1-2% |
WARNING
Without encryption at rest, anyone with physical or root access to the host can read database contents directly. This is a requirement for most compliance frameworks including SOC 2, HIPAA, and FedRAMP.
Audit log integrity
Truetask uses an HMAC hash chain to provide cryptographic tamper evidence for audit logs. Each entry's hash includes the previous entry's hash, forming a verifiable chain per board. The signing secret is auto-generated on first boot.
No configuration is required. Verify a board's audit integrity via the API:
GET /v1/boards/:board_id/audit/verifyMultiple instances
To run multiple Truetask instances on the same server (e.g., production and staging), install each to a separate directory with a unique workspace name and port:
| Instance | Workspace | Port |
|---|---|---|
| Production | truetask-prod | 80 |
| Staging | truetask-staging | 8080 |
The workspace name is used as the Docker Compose project name, so containers from different instances don't conflict. Configure these during the setup wizard or in the .env file.