# Security Configuration Guide ## Environment Variables for Security Add these to your `.env` file or Space Settings → Repository secrets: ```bash # ==================== Security Configuration ==================== # OMP_NUM_THREADS: Number of OpenMP threads (must be positive integer) # Default: 4, Range: 1-8 (adjust based on CPU cores) # IMPORTANT: Must be a valid positive integer, not empty string OMP_NUM_THREADS=4 # MKL_NUM_THREADS: Number of MKL threads (must be positive integer) # Default: 4, Range: 1-8 # IMPORTANT: Must be a valid positive integer, not empty string MKL_NUM_THREADS=4 # LOG_DIR: Directory for log files (ensure secure permissions) # Default: /tmp/logs LOG_DIR=/tmp/logs # RATE_LIMIT_ENABLED: Enable rate limiting (true/false) # Default: true (recommended for production) # Set to false only for development/testing RATE_LIMIT_ENABLED=true ``` ## Security Features Implemented ### 1. OMP_NUM_THREADS Validation - ✅ Automatic validation on startup - ✅ Defaults to 4 if invalid or missing - ✅ Prevents "Invalid value" errors ### 2. Security Headers All responses include: - `X-Content-Type-Options: nosniff` - Prevents MIME type sniffing - `X-Frame-Options: DENY` - Prevents clickjacking - `X-XSS-Protection: 1; mode=block` - XSS protection - `Strict-Transport-Security` - Forces HTTPS - `Content-Security-Policy` - Restricts resource loading - `Referrer-Policy` - Controls referrer information ### 3. Rate Limiting - ✅ Enabled by default (configurable via `RATE_LIMIT_ENABLED`) - ✅ Default limits: 200/day, 50/hour, 10/minute per IP - ✅ Endpoint-specific limits: - `/api/chat`: 10 requests/minute - `/api/initialize`: 5 requests/minute ### 4. Secure Logging - ✅ Log files with 600 permissions (owner read/write only) - ✅ Log directory with 700 permissions - ✅ Automatic sensitive data sanitization (tokens, passwords, keys) - ✅ Rotating file handler (10MB max, 5 backups) ### 5. Production WSGI Server - ✅ Gunicorn replaces Flask dev server - ✅ 4 workers, 2 threads per worker - ✅ 120 second timeout - ✅ Access and error logging ### 6. Database Indexes - ✅ Indexes on frequently queried columns - ✅ Performance optimization for session lookups - ✅ Automatic index creation on database init ## Production Deployment ### Using Gunicorn (Recommended) The Dockerfile is configured to use Gunicorn automatically. For manual deployment: ```bash gunicorn \ --bind 0.0.0.0:7860 \ --workers 4 \ --threads 2 \ --timeout 120 \ --access-logfile - \ --error-logfile - \ --log-level info \ flask_api_standalone:app ``` ### Using Production Script ```bash chmod +x scripts/start_production.sh ./scripts/start_production.sh ``` ## Security Checklist Before deploying to production: - [ ] Verify `HF_TOKEN` is set in Space secrets - [ ] Verify `OMP_NUM_THREADS` is a valid positive integer - [ ] Verify `RATE_LIMIT_ENABLED=true` (unless testing) - [ ] Verify log directory permissions are secure - [ ] Verify Gunicorn is used (not Flask dev server) - [ ] Verify security headers are present in responses - [ ] Verify rate limiting is working - [ ] Verify sensitive data is sanitized in logs ## Testing Security Features ### Test Rate Limiting ```bash # Should allow 10 requests for i in {1..10}; do curl -X POST http://localhost:7860/api/chat \ -H "Content-Type: application/json" \ -d '{"message":"test","session_id":"test"}' done # 11th request should be rate limited (429) curl -X POST http://localhost:7860/api/chat \ -H "Content-Type: application/json" \ -d '{"message":"test","session_id":"test"}' ``` ### Test Security Headers ```bash curl -I http://localhost:7860/api/health | grep -i "x-" ``` ### Test OMP_NUM_THREADS Validation ```bash # Test with invalid value export OMP_NUM_THREADS="invalid" python flask_api_standalone.py # Should default to 4 and log warning ``` ## Monitoring ### Log Files - Location: `$LOG_DIR/app.log` (default: `/tmp/logs/app.log`) - Permissions: 600 (owner read/write only) - Rotation: 10MB max, 5 backups ### Security Alerts Monitor logs for: - Rate limit violations (429 responses) - Invalid OMP_NUM_THREADS values - Failed authentication attempts - Unusual request patterns ## Troubleshooting ### Rate Limiting Too Aggressive ```bash # Disable for testing (NOT recommended for production) export RATE_LIMIT_ENABLED=false ``` ### Log Permission Errors ```bash # Set log directory manually export LOG_DIR=/path/to/writable/directory mkdir -p $LOG_DIR chmod 700 $LOG_DIR ``` ### OMP_NUM_THREADS Errors ```bash # Ensure valid integer export OMP_NUM_THREADS=4 # Must be positive integer ``` ## Best Practices 1. **Always use Gunicorn in production** - Never use Flask dev server 2. **Keep rate limiting enabled** - Only disable for local development 3. **Monitor log files** - Check for suspicious activity 4. **Rotate logs regularly** - Prevent disk space issues 5. **Validate environment variables** - Ensure OMP_NUM_THREADS is valid 6. **Use HTTPS** - Strict-Transport-Security header requires HTTPS 7. **Review security headers** - Ensure they match your requirements