Error in user YAML: (<unknown>): did not find expected alphabetic or numeric character while scanning an alias at line 2 column 14
---
title: Security Best Practices
description: *[Guides](../guides/readme.md) > Security*
type: guide
status: stable
---
Guides > Security
This document outlines the security measures implemented in the VisionFlow multi-agent system and provides guidelines for secure deployment and usage.
- Environment Variables
- Authentication
- WebSocket Security
- TCP Server Security
- Input Validation
- Rate Limiting
- CORS Configuration
- Deployment Guidelines
- Security Checklist
- NEVER commit
.envfiles to version control - Use
.env.exampleas a template for required variables - Store sensitive credentials in environment-specific secret managers
- Rotate API keys and tokens regularly
# Authentication
JWT-SECRET=<strong-random-secret>
SESSION-SECRET=<strong-random-secret>
WS-AUTH-TOKEN=<secure-websocket-token>
# Rate Limiting
RATE-LIMIT-WINDOW-MS=60000
RATE-LIMIT-MAX-REQUESTS=100
# Connection Limits
WS-MAX-CONNECTIONS=100
TCP-MAX-CONNECTIONS=50
WS-CONNECTION-TIMEOUT=300000
TCP-CONNECTION-TIMEOUT=300000The WebSocket server implements token-based authentication:
- Enable Authentication: Set
WS-AUTH-ENABLED=true - Configure Token: Set a secure
WS-AUTH-TOKEN - Client Connection: Include token in Authorisation header
const ws = new WebSocket('ws://localhost:3002', { headers: { 'Authorization': `Bearer ${token}` } });
The TCP server requires authentication after connection:
- Enable Authentication: Configure auth token in environment
- Authentication Flow:
{ "jsonrpc": "2.0", "id": 1, "method": "authenticate", "params": { "token": "your-secure-token" } }
- IP Blocking: Automatic blocking of suspicious IPs
- Connection Limits: Maximum concurrent connections enforced
- Timeout Management: Idle connections automatically closed
- Rate Limiting: Per-IP request throttling
// WebSocket server configuration
const wss = new WebSocket.Server({
verifyClient: (info, cb) => {
// Authentication check
// IP blocking check
// Connection limit check
// Rate limit check
}
});- Persistent Connection Management: Single MCP instance with secure client isolation
- Authentication Required: All non-initialisation requests require authentication
- Input Validation: All incoming data validated and sanitised
- Connection Timeouts: Automatic cleanup of idle connections
- Client connects to TCP server
- Server checks IP blocking and rate limits
- Client must authenticate within timeout period
- All subsequent requests are validated
- Size Limits: Maximum request size enforced (default: 10MB)
- JSON-RPC Validation: Structure and version checks
- Content Sanitisation: Script injection prevention
- Prototype Pollution Protection: Key filtering
// Input validation implementation
validateInput(input) {
// Size check
if (input.length > MAX-REQUEST-SIZE) {
return { valid: false, error: 'Input too large' };
}
// JSON parsing and validation
// Sanitisation
// Return validated and sanitised content
}- Window Size: Configurable time window (default: 60 seconds)
- Request Limit: Maximum requests per window (default: 100)
- IP-Based: Rate limiting applied per IP address
- Automatic Blocking: IPs exceeding limits are temporarily blocked
// Rate limiter tracks requests per IP
checkRateLimit(clientId) {
// Check requests within time window
// Block if limit exceeded
// Clean up old request data
}Configure allowed origins in environment:
CORS-ALLOWED-ORIGINS=http://localhost:3000,https://yourdomain.com- Methods: GET, POST, PUT, DELETE, OPTIONS
- Headers: Content-Type, Authorisation
- Credentials: Configure based on requirements
- Use HTTPS/WSS: Always use encrypted connections in production
- Reverse Proxy: Deploy behind nginx or similar
- Firewall Rules: Restrict access to necessary ports only
- Secret Management: Use AWS Secrets Manager, HashiCorp Vault, etc.
- Monitoring: Implement security event logging and alerting
# docker-compose.yml security settings
services:
multi-agent:
security-opt:
- no-new-privileges:true
read-only: true
tmpfs:
- /tmp
cap-drop:
- ALL
cap-add:
- DAC-OVERRIDE- Internal Networks: Use Docker internal networks
- Port Exposure: Only expose necessary ports
- Service Isolation: Separate services by security requirements
- All environment variables configured
- Strong secrets generated (minimum 32 characters)
-
.envfile not in version control - Authentication enabled for all services
- Rate limiting configured
- CORS origins restricted
- HTTPS/WSS enabled
- Firewall rules configured
- Monitoring and logging enabled
- Backup procedures in place
- Incident response plan documented
- Regular security audits
- Dependency updates
- Log monitoring
- API key rotation schedule
- Performance monitoring
- Identify: Detect and classify the incident
- Contain: Isolate affected systems
- Investigate: Analyse logs and determine scope
- Remediate: Fix vulnerabilities and remove threats
- Document: Record incident details and lessons learnt
- Security Team: security@yourdomain.com
- Emergency: [Emergency contact details]
Remember: Security is a continuous process, not a one-time configuration. Regular reviews and updates are essential.