Skip to main content
Comprehensive security features, best practices, and compliance considerations for Guardway Gateway.

Security Architecture

Guardway Gateway implements defense-in-depth security with multiple layers of protection: 
┌─────────────────────────────────────────────────────────────┐
│ Layer 1: Container Security                                 │
│ - Non-root execution (UID 1001)                            │
│ - Read-only filesystems                                     │
│ - Seccomp syscall filtering                                │
│ - AppArmor profiles                                         │
│ - Capability dropping                                       │
│ - no-new-privileges flag                                    │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│ Layer 2: Network Security                                   │
│ - Private Docker networks                                   │
│ - TLS/HTTPS (production)                                    │
│ - IP allow/block lists                                      │
│ - Firewall rules                                            │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│ Layer 3: Application Security                               │
│ - Multi-method authentication                               │
│ - Role-based authorization (RBAC)                           │
│ - Input validation (Zod schemas)                            │
│ - Output sanitization                                       │
│ - Rate limiting                                             │
│ - Request size limits                                       │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│ Layer 4: Data Security                                      │
│ - Encryption at rest (AES-256-GCM)                          │
│ - Encryption in transit (TLS)                               │
│ - Secret redaction in logs                                  │
│ - Secure key derivation                                     │
└─────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────┐
│ Layer 5: Content Security                                   │
│ - PII detection and redaction                               │
│ - Hate speech detection                                     │
│ - Prompt injection protection                               │
│ - Keyword filtering                                         │
└─────────────────────────────────────────────────────────────┘

Container Security

Overview

All Guardway Gateway containers implement enterprise-grade security hardening following CIS Docker Benchmark and NIST 800-190 guidelines.

Security Features by Container

Gateway Container

User: nodejs:1001 (non-root) Security Options:
  • Read-only root filesystem
  • All capabilities dropped except NET_BIND_SERVICE
  • Seccomp profile: security/seccomp-mcp.json
  • no-new-privileges flag enabled
  • Resource limits: 2 CPU cores, 2GB RAM
Writable Locations (tmpfs only):
  • /tmp (100MB tmpfs)
  • /home/nodejs/.npm (50MB tmpfs)
docker-compose.yml: 
gateway:
  user: "1001:1001"
  read_only: true
  security_opt:
    - no-new-privileges:true
    - seccomp=security/seccomp-mcp.json
  cap_drop:
    - ALL
  cap_add:
    - NET_BIND_SERVICE
  tmpfs:
    - /tmp:mode=1777,size=100m,nosuid,nodev

Admin UI Container

User: nextjs:1001 (non-root) Security Options:
  • Read-only root filesystem
  • All capabilities dropped except NET_BIND_SERVICE
  • Seccomp profile enabled
  • no-new-privileges flag enabled
  • Resource limits: 1 CPU core, 1GB RAM

MCP Containers

User: mcpuser:1001 (non-root) Security Options:
  • Read-only root filesystem
  • All capabilities dropped (except SYS_ADMIN for Playwright)
  • Seccomp profile enabled
  • AppArmor profile: security/apparmor-mcp-profile
  • no-new-privileges flag enabled
AppArmor Command Restrictions: Only these executables are allowed:
  • node, npm, npx (Node.js)
  • uv, uvx, python, python3 (Python)
  • git, git-* (Git)
  • dumb-init (Process init)
Blocked:
  • All shells (sh, bash, dash, zsh)
  • Network tools (wget, curl, nc, telnet, ssh)
  • Privilege escalation (su, sudo)

Seccomp Profile

File: /home/user/Guardway Gateway/security/seccomp-mcp.json Purpose: Restricts syscalls to reduce kernel attack surface Default action: Deny (SCMP_ACT_ERRNO) Allowed syscalls: Only essential syscalls for Node.js/Python processes
  • Networking: socket, connect, bind, listen, accept
  • File I/O: read, write, open, close, stat
  • Process management: fork, exec, wait, kill
Blocked syscalls: Dangerous operations
  • reboot, mount, umount, swapon, swapoff
  • ptrace, kexec_load, add_key, request_key

AppArmor Profile

File: /home/user/Guardway Gateway/security/apparmor-mcp-profile Installation: 
sudo cp security/apparmor-mcp-profile /etc/apparmor.d/mcp-container
sudo apparmor_parser -r /etc/apparmor.d/mcp-container
Protection: Prevents command injection attacks by restricting executable binaries

Verification

Test container security: 
# Verify non-root user
docker-compose exec gateway whoami
# Output: nodejs

# Verify read-only filesystem
docker-compose exec gateway touch /test
# Output: Read-only file system

# Verify command restrictions (MCP container)
docker-compose exec mcp-time sh
# Output: Permission denied

# Verify allowed commands
docker-compose exec mcp-time node --version
# Output: v20.x.x

# Check capabilities
docker-compose exec gateway capsh --print
# Should show no capabilities except NET_BIND_SERVICE

Authentication Methods

Guardway Gateway supports five authentication methods with different use cases:
Format: sk-master-...Use Case: Full administrative access, initial setupConfiguration:
AGSEC_MASTER_KEY=sk-master-d8f7a6b5c4e3f2a1b0c9d8e7f6a5b4c3
Usage:
curl -H "Authorization: Bearer sk-master-..." \
  http://localhost:8000/keys
Security:
  • Uses timing-safe comparison (crypto.timingSafeEqual) to prevent timing attacks
  • Should be rotated regularly
  • Store in secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.)
  • Never commit to version control

Authorization (RBAC)

Role-based access control with three roles:

Roles

RolePermissions
adminFull access to all endpoints including user/team/provider management
developerAccess to inference endpoints (/v1/*), read-only management endpoints
read-onlyRead-only access to logs, metrics, and configuration

Role Assignment

# Create API key with specific role
curl -X POST http://localhost:8000/keys \
  -H "Authorization: Bearer $SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Read-only Key",
    "role": "read-only"
  }'

Permission Checks

Authorization is enforced at the middleware level: 
// Endpoint requires admin role
fastify.get('/providers',
  { preHandler: [authMiddleware, rbacMiddleware('admin')] },
  async (req, reply) => {
    // Only admins can access
  }
);

Secret Management

Encryption at Rest

Algorithm: AES-256-GCM (authenticated encryption) Configuration: 
# 32-byte hex string
CONFIG_ENCRYPTION_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
Never commit your CONFIG_ENCRYPTION_KEY to version control. Store it in a secrets manager such as AWS Secrets Manager or HashiCorp Vault.
Encrypted Fields:
  • Provider API keys
  • Webhook secrets
  • OrionFence API keys
  • OAuth client secrets
Encryption Format: 
enc:v1:{iv_base64}:{ciphertext_base64}:{tag_base64}
Example: 
import crypto from 'crypto';

function encrypt(plaintext: string, key: Buffer): string {
  const iv = crypto.randomBytes(16);
  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);

  let encrypted = cipher.update(plaintext, 'utf8', 'base64');
  encrypted += cipher.final('base64');

  const tag = cipher.getAuthTag();

  return `enc:v1:${iv.toString('base64')}:${encrypted}:${tag.toString('base64')}`;
}

Secret Redaction in Logs

All API keys and sensitive headers are automatically redacted: 
// Logged as
{
  "apiKey": "[REDACTED]",
  "authorization": "[REDACTED]",
  "openai_api_key": "[REDACTED]"
}
Redacted Fields:
  • apiKey, api_key
  • authorization
  • password, passwd
  • secret, token
  • *_api_key patterns

Key Rotation

API Keys: 
# Rotate compromised key
curl -X POST http://localhost:8000/keys/key-abc123/rotate \
  -H "Authorization: Bearer $SESSION_TOKEN"
Master Key:
  1. Generate new master key
  2. Update AGSEC_MASTER_KEY environment variable
  3. Restart gateway
  4. Update all admin scripts
Provider Keys: 
# Update provider API key
curl -X PUT http://localhost:8000/providers/openai \
  -H "Authorization: Bearer $SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"apiKey": "sk-new-key..."}'

Guardrails

Built-in SLM Guardrails

Built-in SLM guardrails run locally with <50ms P95 latency, making them suitable for real-time inference pipelines without noticeable overhead.
Types:
  1. PII Detection - SSN, credit cards, emails, phone numbers, API keys
  2. Hate Speech Detection - Toxic content, slurs, threats
  3. Prompt Injection Detection - Adversarial prompt manipulation

PII Detection

Local (Regex-based): 
curl -X POST http://localhost:8000/guardrails/slm \
  -H "Authorization: Bearer $SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "PII Detection",
    "type": "pii_detection",
    "enabled": true,
    "threshold": 0.8,
    "action": "sanitize",
    "piiTypes": ["ssn", "credit_card", "email", "phone"],
    "redactionToken": "[REDACTED]"
  }'
OrionFence (ML-based): 
curl -X POST http://localhost:8000/guardrails/slm \
  -H "Authorization: Bearer $SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "PII Detection (ML)",
    "type": "pii_detection",
    "enabled": true,
    "threshold": 0.8,
    "action": "sanitize",
    "orionFenceConfig": {
      "useApi": true,
      "apiUrl": "https://api.orionfence.com",
      "model": "spacy-lg",
      "entities": ["PERSON", "EMAIL_ADDRESS", "PHONE_NUMBER", "US_SSN", "CREDIT_CARD"],
      "threshold": 0.35,
      "fallbackEnabled": true
    }
  }'

Hate Speech Detection

curl -X POST http://localhost:8000/guardrails/slm \
  -H "Authorization: Bearer $SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Hate Speech Filter",
    "type": "hate_speech",
    "enabled": true,
    "threshold": 0.85,
    "action": "block",
    "customResponse": "Your request contains inappropriate content."
  }'

Prompt Injection Detection

curl -X POST http://localhost:8000/guardrails/slm \
  -H "Authorization: Bearer $SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Prompt Injection Shield",
    "type": "prompt_injection",
    "enabled": true,
    "threshold": 0.80,
    "action": "block",
    "alertSecurityTeam": true
  }'

IP Filtering

# Allow only specific IP ranges
curl -X PUT http://localhost:8000/guardrails \
  -H "Authorization: Bearer $SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "enabled": true,
    "ipAllowList": ["192.168.1.0/24", "10.0.0.0/8"],
    "ipBlockList": ["203.0.113.0/24"]
  }'

Keyword Filtering

curl -X PUT http://localhost:8000/guardrails \
  -H "Authorization: Bearer $SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "enabled": true,
    "bannedKeywords": ["spam", "abuse", "hack"]
  }'

Audit Logging

Complete audit trail for all administrative and security-relevant actions.

Logged Events

  • User Management: Create, update, delete users
  • Team Management: Create, update, delete teams
  • API Key Management: Create, rotate, delete keys
  • Provider Management: Add, update, remove providers
  • Guardrail Changes: Policy creation, updates, deletions
  • Configuration Changes: Routing rules, settings updates
  • Authentication Events: Login attempts, session creation
  • Authorization Failures: Access denied events

Audit Log Format

{
  "id": "audit-abc123",
  "timestamp": "2025-01-19T12:00:00.000Z",
  "actor": {
    "type": "user",
    "id": "user-123",
    "email": "admin@example.com"
  },
  "action": "update_provider",
  "resource": {
    "type": "provider",
    "id": "openai"
  },
  "changes": {
    "enabled": {"from": false, "to": true}
  },
  "ip": "192.168.1.100",
  "userAgent": "Mozilla/5.0..."
}

Query Audit Logs

curl "http://localhost:8000/audit?limit=100&action=update_provider" \
  -H "Authorization: Bearer $SESSION_TOKEN"

Network Security

Docker Network Isolation

All services communicate on private Docker network: 
networks:
  llm-network:
    driver: bridge
    internal: false  # Set to true for full isolation

TLS/HTTPS Configuration

Always use TLS/HTTPS in production. Running without TLS exposes all traffic — including API keys and user data — to interception.
Production setup (nginx): 
server {
    listen 443 ssl http2;
    server_name gateway.example.com;

    ssl_certificate /etc/ssl/certs/gateway.crt;
    ssl_certificate_key /etc/ssl/private/gateway.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://gateway:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Firewall Rules

iptables example: 
# Allow only specific ports
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP  # Block direct gateway access

# Rate limiting
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 60 --hitcount 100 -j DROP

Production Security Checklist

1

Pre-Deployment

  • Generate strong master key (32+ characters, random)
  • Generate encryption key for secrets (64 hex characters)
  • Configure TLS/HTTPS certificates
  • Set up secrets manager (AWS Secrets Manager, Vault, etc.)
  • Review and configure CORS origins
  • Enable audit logging
  • Configure network firewall rules
  • Set up intrusion detection (Fail2ban, OSSEC, etc.)
2

Container Security

  • Verify all containers run as non-root (UID 1001)
  • Confirm read-only filesystems enabled
  • Test Seccomp profiles loaded correctly
  • Install and verify AppArmor profiles (MCP containers)
  • Set resource limits (CPU, memory)
  • Enable container health checks
3

Authentication & Authorization

  • Rotate default master key
  • Configure session timeout (default: 24 hours)
  • Set up API key expiration policy
  • Enable RBAC for all users
  • Configure MCP access restrictions per key
  • Test authentication methods
4

Guardrails

  • Enable PII detection for sensitive data
  • Configure hate speech detection
  • Enable prompt injection protection
  • Set up IP allow/block lists
  • Configure keyword filtering
  • Test guardrail policies
5

Network & Infrastructure

  • Enable TLS/HTTPS (production)
  • Configure reverse proxy (nginx, AWS ALB)
  • Set up Web Application Firewall (WAF)
  • Enable DDoS protection (CloudFlare, AWS Shield)
  • Configure private networks for internal services
  • Disable unnecessary ports
6

Monitoring & Logging

  • Enable audit logging
  • Set up centralized log aggregation (ELK, CloudWatch)
  • Configure security alerts
  • Enable OpenTelemetry tracing
  • Set up Prometheus metrics
  • Configure anomaly detection
7

Data Protection

  • Enable encryption at rest (AES-256-GCM)
  • Verify TLS for data in transit
  • Configure secret rotation schedule
  • Set up Redis authentication
  • Enable PostgreSQL SSL connections
  • Test backup and recovery procedures
8

Compliance

  • Document security architecture
  • Conduct security assessment
  • Perform penetration testing
  • Review data retention policies
  • Configure GDPR compliance settings (if applicable)
  • Set up SOC 2 controls (if pursuing certification)

Security Best Practices

1. Principle of Least Privilege

Grant minimum necessary permissions: 
# Developer role (limited access)
curl -X POST http://localhost:8000/keys \
  -H "Authorization: Bearer $SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "App Key",
    "role": "developer",
    "allowedModels": ["gpt-3.5-turbo"],
    "budgetLimit": 100,
    "requestLimit": 10000
  }'

2. Defense in Depth

Implement multiple security layers:
  • Container security (non-root, read-only)
  • Network security (firewalls, TLS)
  • Application security (auth, RBAC)
  • Data security (encryption)
  • Content security (guardrails)

3. Regular Security Updates

# Update base images
docker-compose pull
docker-compose build --no-cache
docker-compose up -d

# Update dependencies
pnpm update
pnpm audit

4. Secret Management

Never commit secrets to git, log secrets, or share secrets via email/chat. Always use a secrets manager, rotate secrets regularly, use environment variables, and encrypt at rest.

5. Monitoring and Alerting

# Set up security alerts
curl -X POST http://localhost:8000/webhooks \
  -H "Authorization: Bearer $SESSION_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://your-security-siem.com/webhook",
    "events": [
      "guardrail.violation",
      "auth.failed",
      "quota.exceeded"
    ]
  }'

6. Incident Response Plan

  1. Detection: Monitor logs and alerts
  2. Containment: Disable compromised keys immediately
  3. Eradication: Rotate secrets, patch vulnerabilities
  4. Recovery: Restore from backups if needed
  5. Lessons Learned: Document and improve

Threat Model

Attack: Attacker obtains valid API keyMitigations:
  • Per-key budget limits (prevent runaway costs)
  • Per-key request limits (prevent abuse)
  • Rate limiting (slow down attacks)
  • Expiration dates (limit lifetime)
  • Audit logging (detect unusual activity)
  • IP restrictions (limit source IPs)
Response:
  1. Identify compromised key from logs
  2. Disable key immediately
  3. Rotate key
  4. Review audit logs for damage
  5. Notify affected users
Attack: Attacker escapes container to hostMitigations:
  • Non-root user (cannot escalate to root)
  • Read-only filesystem (cannot modify binaries)
  • Seccomp (blocks dangerous syscalls)
  • AppArmor (restricts executables)
  • No capabilities (cannot perform privileged operations)
  • no-new-privileges (prevents privilege escalation)
Impact: Extremely difficult due to multiple layers
Attack: Manipulate LLM via adversarial promptsMitigations:
  • Prompt injection detection guardrail
  • Input validation
  • System prompt isolation
  • Output moderation
Example blocked patterns:
  • “Ignore previous instructions”
  • “You are now in developer mode”
  • Role manipulation attempts
Attack: Extract sensitive data from requests/responsesMitigations:
  • PII detection and redaction
  • Encryption at rest
  • TLS in transit
  • Access logging
  • Audit trail
Attack: Overwhelm system with requestsMitigations:
  • Rate limiting (token bucket algorithm)
  • Request size limits
  • Resource limits (CPU, memory)
  • Connection limits
  • Timeout enforcement

Compliance Considerations

SOC 2

Type II Controls:CC6.1 - Logical Access:
  • Multi-factor authentication available
  • Role-based access control (RBAC)
  • API key management with expiration
  • Audit logging of access events
CC6.6 - Encryption:
  • TLS for data in transit
  • AES-256-GCM for data at rest
  • Encrypted secrets storage
CC7.2 - System Monitoring:
  • OpenTelemetry tracing
  • Prometheus metrics
  • Audit logging
  • Security event alerting

PCI DSS

Requirement 3 - Protect Stored Data:
  • Encryption at rest (AES-256)
  • Secure key management
  • Credit card PII detection
Requirement 8 - Access Control:
  • Unique user IDs
  • Strong authentication
  • RBAC implementation
Requirement 10 - Logging:
  • Audit trail for all access
  • Tamper-proof logs (append-only)
  • Log retention policies

HIPAA

Technical Safeguards:§164.312(a)(1) - Access Control:
  • Unique user identification
  • Emergency access procedure
  • Automatic logoff (session timeout)
  • Encryption and decryption
§164.312(b) - Audit Controls:
  • Complete audit logging
  • Activity monitoring
  • Audit log review
§164.312(e)(1) - Transmission Security:
  • TLS/HTTPS encryption
  • Integrity controls

GDPR

Data Protection Measures:Article 25 - Data Protection by Design:
  • PII detection and redaction
  • Minimal data retention
  • Encryption by default
Article 30 - Records of Processing:
  • Audit logging
  • Data flow documentation
Article 32 - Security of Processing:
  • Encryption at rest and in transit
  • Pseudonymization capabilities
  • Regular security testing
Article 33 - Breach Notification:
  • Security event logging
  • Real-time alerting
  • Incident response procedures

Additional Resources

For deployment security, see Deployment.