Skip to content

Security

Jump to bottom
Nick edited this page Nov 26, 2025 · 2 revisions

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability, report it directly through established communication channels.

Security Features

Authentication

  • API Keys: Required for all endpoints
  • Key Rotation: Supported
  • Key Scope: Per-tenant namespaces

Rate Limiting

  • Default: 10 requests/second per API key
  • Configurable: Per-tenant limits
  • Protection: Prevents abuse and DoS

WAF (Web Application Firewall)

  • Burst Detection: Flags suspicious patterns
  • URL Limits: Max 5 URLs per request
  • Phone Limits: Max 3 phone numbers per request
  • Threshold: 10 violations per minute triggers blocking

Input Validation

  • Max Length: 8192 characters
  • Encoding: UTF-8 only
  • Sanitization: XSS prevention in logs

PII Protection

  • Log Redaction: Email, phone, credit card numbers masked
  • Data Retention: 24 hours (configurable)
  • Export: No PII in exports (see PRIVACY.md)

Network Security

  • HTTPS: Required for all API calls
  • TLS: Minimum 1.2
  • CORS: Configurable per origin

Infrastructure

  • Docker: Multi-stage builds, minimal attack surface
  • Dependencies: Regular security updates
  • Secrets: Environment variables, never in code

Production Features (v2.0+)

Security Hardening

  • CORS Configuration: Environment-based origins (deny-all default in production)
  • API Key Validation: Fail-fast on missing keys in production
  • Safe Error Messages: Hide internal details in production
  • Database SSL: Auto-enforce sslmode=require for PostgreSQL
  • Redis Rate Limiting: Distributed rate limiting for multi-instance
  • Request Size Limits: Prevent DoS via large requests
  • IP Whitelisting: Optional IP-based access control

Known Limitations

  • No DDoS Protection: Relying on infrastructure-level protection
  • No WAF Cloud: Basic application-level WAF only
  • No Advanced Threat Detection: Planned for v3.0

Available Security Features

  • IP Whitelisting: Available in v2.0
  • Audit Logging: Available in v1.2+
  • PII Redaction: Available in STRICT mode
  • JSON Structured Logging: Available in production

Security Best Practices

For API Users

  1. Rotate Keys: Every 90 days
  2. Use HTTPS: Always
  3. Validate Input: Client-side validation
  4. Monitor Usage: Check stats endpoint regularly

For Developers

  1. Dependencies: Run poetry audit regularly
  2. Secrets: Never commit .env files
  3. Updates: Keep dependencies updated
  4. Testing: Run security tests before deploy

Compliance

Data Protection

  • GDPR: Data retention configurable (default 24h)
  • CCPA: User data deletion supported
  • SOC 2: Not certified (planned for v2.0)

Certifications

  • Current: None
  • Planned: SOC 2 Type II (v2.0)

Incident Response

Security Incident Process

  1. Detection: Automated monitoring + manual reports
  2. Assessment: Severity classification
  3. Containment: Immediate mitigation
  4. Remediation: Fix deployment
  5. Communication: Affected users notified
  6. Post-Mortem: Lessons learned document

Changelog

  • 2025-11-04: Initial security policy published

Clone this wiki locally