Security Best Practices

Security recommendations for production InferXgate deployments.

This guide covers security best practices for InferXgate deployments.

Authentication

Enable Authentication

Always enable auth in production:

REQUIRE_AUTH=true
JWT_SECRET=use-a-strong-random-string-at-least-32-chars

Strong JWT Secrets

Generate a secure secret:

openssl rand -base64 32

Short Token Expiry

JWT_EXPIRY_SECONDS=3600  # 1 hour for sensitive environments

API Key Security

Virtual API Keys

Use virtual API keys instead of sharing provider keys:

# Create keys per application/team
POST /auth/keys
{"name": "production-app", "rate_limit": 100}

Key Rotation

Rotate keys regularly:

# Revoke old key
DELETE /auth/keys/old-key-id

# Create new key
POST /auth/keys

Network Security

HTTPS Only

Always use TLS in production:

# Traefik example
- "traefik.http.routers.inferxgate.tls=true"
- "traefik.http.routers.inferxgate.tls.certresolver=letsencrypt"

Firewall Rules

Restrict access to necessary ports:

# Allow only HTTPS
ufw allow 443/tcp
ufw deny 3000/tcp  # Block direct API access

Private Networks

Use internal networks for services:

services:
  inferxgate:
    networks:
      - internal
      - public

  db:
    networks:
      - internal  # Not exposed

networks:
  internal:
    internal: true
  public:

Domain Restrictions

Limit who can register:

ALLOWED_EMAIL_DOMAINS=company.com,trusted-partner.com

Rate Limiting

Prevent abuse:

ENABLE_RATE_LIMIT=true
RATE_LIMIT_RPM=60      # Per minute
RATE_LIMIT_RPD=10000   # Per day

Logging

Audit Logging

Enable detailed logging:

LOG_LEVEL=info
LOG_JSON=true

Log Sensitive Data

Never log API keys or user content. InferXgate redacts sensitive fields by default.

Environment Variables

Secret Management

Use secret managers in production:

# Docker secrets
services:
  inferxgate:
    secrets:
      - jwt_secret
      - anthropic_key

secrets:
  jwt_secret:
    external: true
  anthropic_key:
    external: true

Never Commit Secrets

Add to .gitignore:

.env
*.pem
*.key

Database Security

Strong Passwords

DB_PASSWORD=use-a-generated-password-here

Encrypted Connections

DATABASE_URL=postgresql://user:pass@host:5432/db?sslmode=require

Updates

Keep InferXgate updated:

docker-compose pull
docker-compose up -d

Checklist

  • Authentication enabled
  • Strong JWT secret (32+ chars)
  • HTTPS configured
  • Rate limiting enabled
  • Domain restrictions set
  • Database encrypted
  • Secrets not in code
  • Regular updates scheduled