Skip to content
DocuBot documentation

Security basics guide

As an administrator, you play a vital role in maintaining the integrity and security of your documentation workspace. DocuBot is designed with a security-first approach, focusing on identity verification, controlled data access, and a static output model that minimizes common web vulnerabilities.

This guide explains the core pillars of the DocuBot security model and provides actionable recommendations to help you keep your documentation environment secure.

DocuBot security model overview

DocuBot handles security through three primary layers: identity management, authorized data ingestion, and static content delivery.

  • Identity and access: We use Google Sign-In to manage dashboard access. This ensures that only verified users within your organization can manage repository settings, audiences, and sync schedules.
  • Authorized ingestion: DocuBot only accesses your source code through explicit authorization. For public repositories, we use standard public access. For private repositories, we use GitHub OAuth to establish a secure, time-limited connection.
  • Static delivery: Unlike traditional documentation platforms that render pages at runtime, DocuBot generates static HTML. This architectural choice significantly reduces the “attack surface” of your documentation site by eliminating the need for a live database or server-side processing during page loads.

Managing repository access

Connecting your source code is the most sensitive part of the documentation process. You have full control over which repositories DocuBot can see and how it accesses them.

Private vs. public repositories

Public repositories are accessible by default. However, if your product lives in a private GitHub repository, you must authorize DocuBot via GitHub OAuth. This process grants DocuBot the specific permissions required to read your code for the purpose of documentation generation.

OAuth token management

When you connect a private repository, DocuBot stores an encrypted access token. You can revoke this authorization at any time through your GitHub account settings or by disconnecting the integration within the DocuBot dashboard. We recommend periodically reviewing your connected integrations to ensure only necessary access is maintained.

Public visibility and URL slugs

Every documentation site you create in DocuBot is assigned a unique URL slug (e.g., docubot.cc/your-product-name). It is important to understand the security implications of this public path.

  • Public accessibility: By default, generated documentation sites are public. This allows your customers and support teams to access help content without a login.
  • Slug naming: Because slugs are public and unique, avoid using sensitive internal project names or confidential codenames in your URL slug. Use clear, customer-facing product names that align with your public branding.
  • Information disclosure: DocuBot is designed to generate external-facing documentation. Always review the generated content to ensure that internal-only details, such as private IP addresses or internal server names, are not inadvertently included in your public guides.

Administrative security recommendations

To maintain a healthy security posture, we recommend following these baseline practices:

  • Configure automated syncs: Set up a regular sync schedule (daily, weekly, or monthly) to ensure your documentation stays aligned with your latest code. This prevents “documentation drift,” where outdated instructions might lead users to perform insecure actions.
  • Maintain support contacts: Ensure your support email, portal URL, and phone details are accurate in your workspace settings. This ensures that if a user discovers a documentation error or a security concern, they can reach your team immediately.
  • Monitor sync status: Regularly check the status of your sync jobs in the dashboard. A failed sync or an unexpected change in the document set can be an early indicator of configuration issues or unauthorized repository changes.

Reporting security concerns

We take the security of your documentation seriously. If you identify a vulnerability or have a specific security concern regarding your DocuBot workspace, please contact our security team through the following official channels:

Our team will review your report and work with you to resolve the issue promptly.