Documentation

Practical guides for using FinNote well.

Read product guides, public policies, and implementation notes from one responsive documentation hub.

Jump to content Contact support

Security And Administrative Controls

FinNote uses a conservative access model: public information stays public, while anything that changes application state or exposes account-level data stays behind authentication and role checks.

Authentication boundaries

  • Unauthenticated users can browse public pages and public calculators.
  • Authenticated users unlock dashboard, expenses, income, categories, and goals.
  • Administrative users gain access to oversight pages only when the correct roles and permissions are present.

Core protections

  • Passwords are stored using Argon2id hashing.
  • State-changing routes use CSRF tokens.
  • User-scoped queries protect against cross-account tampering.
  • Role middleware and permission middleware gate sensitive admin actions.

Audit and oversight

Administrative workflows should be reviewable, not opaque.

  • User-role changes and access-sensitive actions appear in audit logs.
  • Calculation data can be inspected from the admin side.
  • System-health data provides a quick operational snapshot.

Mobile administrative safety

The admin surface is intentionally adapted for narrow screens.

  • Wide tables were converted into stacked cards on key pages.
  • Quick actions remain reachable without depending on fragile sidebar interactions.
  • Mobile layouts reduce accidental destructive taps in comparison with horizontally squeezed tables.

Verification checklist

  1. Confirm a standard user receives a forbidden response on admin routes.
  2. Confirm an admin account can open the admin dashboard and related pages.
  3. Confirm audit logs reflect sensitive administrative actions.
  4. Confirm mobile layouts remain readable on admin user, calculations, and audit pages.