File size: 5,139 Bytes
79ea999 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 |
# Security Configuration Guide
## Environment Variables for Security
Add these to your `.env` file or Space Settings β Repository secrets:
```bash
# ==================== Security Configuration ====================
# OMP_NUM_THREADS: Number of OpenMP threads (must be positive integer)
# Default: 4, Range: 1-8 (adjust based on CPU cores)
# IMPORTANT: Must be a valid positive integer, not empty string
OMP_NUM_THREADS=4
# MKL_NUM_THREADS: Number of MKL threads (must be positive integer)
# Default: 4, Range: 1-8
# IMPORTANT: Must be a valid positive integer, not empty string
MKL_NUM_THREADS=4
# LOG_DIR: Directory for log files (ensure secure permissions)
# Default: /tmp/logs
LOG_DIR=/tmp/logs
# RATE_LIMIT_ENABLED: Enable rate limiting (true/false)
# Default: true (recommended for production)
# Set to false only for development/testing
RATE_LIMIT_ENABLED=true
```
## Security Features Implemented
### 1. OMP_NUM_THREADS Validation
- β
Automatic validation on startup
- β
Defaults to 4 if invalid or missing
- β
Prevents "Invalid value" errors
### 2. Security Headers
All responses include:
- `X-Content-Type-Options: nosniff` - Prevents MIME type sniffing
- `X-Frame-Options: DENY` - Prevents clickjacking
- `X-XSS-Protection: 1; mode=block` - XSS protection
- `Strict-Transport-Security` - Forces HTTPS
- `Content-Security-Policy` - Restricts resource loading
- `Referrer-Policy` - Controls referrer information
### 3. Rate Limiting
- β
Enabled by default (configurable via `RATE_LIMIT_ENABLED`)
- β
Default limits: 200/day, 50/hour, 10/minute per IP
- β
Endpoint-specific limits:
- `/api/chat`: 10 requests/minute
- `/api/initialize`: 5 requests/minute
### 4. Secure Logging
- β
Log files with 600 permissions (owner read/write only)
- β
Log directory with 700 permissions
- β
Automatic sensitive data sanitization (tokens, passwords, keys)
- β
Rotating file handler (10MB max, 5 backups)
### 5. Production WSGI Server
- β
Gunicorn replaces Flask dev server
- β
4 workers, 2 threads per worker
- β
120 second timeout
- β
Access and error logging
### 6. Database Indexes
- β
Indexes on frequently queried columns
- β
Performance optimization for session lookups
- β
Automatic index creation on database init
## Production Deployment
### Using Gunicorn (Recommended)
The Dockerfile is configured to use Gunicorn automatically. For manual deployment:
```bash
gunicorn \
--bind 0.0.0.0:7860 \
--workers 4 \
--threads 2 \
--timeout 120 \
--access-logfile - \
--error-logfile - \
--log-level info \
flask_api_standalone:app
```
### Using Production Script
```bash
chmod +x scripts/start_production.sh
./scripts/start_production.sh
```
## Security Checklist
Before deploying to production:
- [ ] Verify `HF_TOKEN` is set in Space secrets
- [ ] Verify `OMP_NUM_THREADS` is a valid positive integer
- [ ] Verify `RATE_LIMIT_ENABLED=true` (unless testing)
- [ ] Verify log directory permissions are secure
- [ ] Verify Gunicorn is used (not Flask dev server)
- [ ] Verify security headers are present in responses
- [ ] Verify rate limiting is working
- [ ] Verify sensitive data is sanitized in logs
## Testing Security Features
### Test Rate Limiting
```bash
# Should allow 10 requests
for i in {1..10}; do
curl -X POST http://localhost:7860/api/chat \
-H "Content-Type: application/json" \
-d '{"message":"test","session_id":"test"}'
done
# 11th request should be rate limited (429)
curl -X POST http://localhost:7860/api/chat \
-H "Content-Type: application/json" \
-d '{"message":"test","session_id":"test"}'
```
### Test Security Headers
```bash
curl -I http://localhost:7860/api/health | grep -i "x-"
```
### Test OMP_NUM_THREADS Validation
```bash
# Test with invalid value
export OMP_NUM_THREADS="invalid"
python flask_api_standalone.py
# Should default to 4 and log warning
```
## Monitoring
### Log Files
- Location: `$LOG_DIR/app.log` (default: `/tmp/logs/app.log`)
- Permissions: 600 (owner read/write only)
- Rotation: 10MB max, 5 backups
### Security Alerts
Monitor logs for:
- Rate limit violations (429 responses)
- Invalid OMP_NUM_THREADS values
- Failed authentication attempts
- Unusual request patterns
## Troubleshooting
### Rate Limiting Too Aggressive
```bash
# Disable for testing (NOT recommended for production)
export RATE_LIMIT_ENABLED=false
```
### Log Permission Errors
```bash
# Set log directory manually
export LOG_DIR=/path/to/writable/directory
mkdir -p $LOG_DIR
chmod 700 $LOG_DIR
```
### OMP_NUM_THREADS Errors
```bash
# Ensure valid integer
export OMP_NUM_THREADS=4 # Must be positive integer
```
## Best Practices
1. **Always use Gunicorn in production** - Never use Flask dev server
2. **Keep rate limiting enabled** - Only disable for local development
3. **Monitor log files** - Check for suspicious activity
4. **Rotate logs regularly** - Prevent disk space issues
5. **Validate environment variables** - Ensure OMP_NUM_THREADS is valid
6. **Use HTTPS** - Strict-Transport-Security header requires HTTPS
7. **Review security headers** - Ensure they match your requirements
|