Skip to main content
Security features, best practices, and compliance considerations for Guardway Gateway.

Security Architecture

Guardway Gateway implements defense-in-depth security with multiple layers of protection:
  • Container Security: Hardened containers following industry best practices
  • Network Security: TLS/HTTPS, IP allow/block lists, firewall rules
  • Application Security: Multi-method authentication, RBAC, input validation, rate limiting
  • Data Security: Encryption at rest and in transit, secret redaction in logs
  • Content Security: PII detection, hate speech detection, prompt injection protection

Authentication Methods

Guardway Gateway supports multiple authentication methods for different use cases:
  • Master Key: Full administrative access for initial setup and management
  • Session Token: Time-limited sessions for the Admin UI
  • API Key: Application API access with quotas, budgets, and rate limits
  • Ephemeral Token: Short-lived delegated access with configurable TTL
Never commit secrets to version control. Use environment variables, secret managers, or encrypted .env files in production.

Authorization (RBAC)

Role-based access control with three roles:
RolePermissions
adminFull access to all endpoints including user/team/provider management
developerAccess to inference endpoints, read-only management endpoints
read-onlyRead-only access to logs, metrics, and configuration

Secret Management

  • All API keys and secrets are encrypted at rest
  • Automatic secret redaction in logs (API keys, authorization headers, passwords, tokens)
  • Support for key rotation through the Admin UI
  • Compatible with external secrets managers (AWS Secrets Manager, HashiCorp Vault, etc.)

Guardrails

Built-in SLM guardrails run locally with low latency, making them suitable for real-time inference pipelines without noticeable overhead.
Types:
  1. PII Detection - SSN, credit cards, emails, phone numbers, API keys
  2. Hate Speech Detection - Toxic content, slurs, threats
  3. Prompt Injection Detection - Adversarial prompt manipulation
For detailed guardrails configuration, see Guardrails.

Audit Logging

Complete audit trail for all administrative and security-relevant actions:
  • User Management: Create, update, delete users
  • Team Management: Create, update, delete teams
  • API Key Management: Create, rotate, delete keys
  • Provider Management: Add, update, remove providers
  • Guardrail Changes: Policy creation, updates, deletions
  • Configuration Changes: Routing rules, settings updates
  • Authentication Events: Login attempts, session creation
  • Authorization Failures: Access denied events

Production Security Checklist

1

Pre-Deployment

  • Generate strong master key (32+ characters, random)
  • Configure TLS/HTTPS certificates
  • Set up secrets manager (AWS Secrets Manager, Vault, etc.)
  • Review and configure CORS origins
  • Enable audit logging
  • Configure network firewall rules
2

Authentication & Authorization

  • Rotate default master key
  • Configure session timeout
  • Set up API key expiration policy
  • Enable RBAC for all users
  • Configure MCP access restrictions per key
  • Test authentication methods
3

Guardrails

  • Enable PII detection for sensitive data
  • Configure hate speech detection
  • Enable prompt injection protection
  • Set up IP allow/block lists
  • Configure keyword filtering
  • Test guardrail policies
4

Network & Infrastructure

  • Enable TLS/HTTPS
  • Configure reverse proxy
  • Set up Web Application Firewall (WAF)
  • Enable DDoS protection
  • Configure private networks for internal services
  • Disable unnecessary ports
5

Monitoring & Logging

  • Enable audit logging
  • Set up centralized log aggregation
  • Configure security alerts
  • Enable distributed tracing
  • Set up metrics collection
  • Configure anomaly detection
6

Data Protection

  • Enable encryption at rest
  • Verify TLS for data in transit
  • Configure secret rotation schedule
  • Set up database authentication
  • Test backup and recovery procedures
7

Compliance

  • Document security architecture
  • Conduct security assessment
  • Perform penetration testing
  • Review data retention policies
  • Configure GDPR compliance settings (if applicable)
  • Set up SOC 2 controls (if pursuing certification)

Security Best Practices

1. Principle of Least Privilege

Grant minimum necessary permissions to each API key. Use the developer role for application keys and restrict access to specific models when possible.

2. Defense in Depth

Implement multiple security layers: container security, network security, application security, data security, and content security.

3. Secret Management

Never commit secrets to git, log secrets, or share secrets via email/chat. Always use a secrets manager, rotate secrets regularly, use environment variables, and encrypt at rest.

4. Incident Response Plan

  1. Detection: Monitor logs and alerts
  2. Containment: Disable compromised keys immediately
  3. Eradication: Rotate secrets, patch vulnerabilities
  4. Recovery: Restore from backups if needed
  5. Lessons Learned: Document and improve

Threat Model

Mitigations: Per-key budget limits, request limits, rate limiting, expiration dates, audit logging, IP restrictions.Response: Identify compromised key from logs, disable immediately, rotate, review audit logs, notify affected users.
Mitigations: Prompt injection detection guardrail, input validation, system prompt isolation, output moderation.Blocked patterns include: “Ignore previous instructions”, role manipulation attempts, jailbreak patterns.
Mitigations: PII detection and redaction, encryption at rest, TLS in transit, access logging, audit trail.
Mitigations: Rate limiting, request size limits, resource limits, connection limits, timeout enforcement.

Compliance Considerations

SOC 2

Key Controls: Multi-factor authentication, RBAC, API key management with expiration, TLS encryption, audit logging, security event alerting.

PCI DSS

Key Controls: Encryption at rest, secure key management, credit card PII detection, unique user IDs, strong authentication, audit trail.

HIPAA

Key Controls: Access control with unique user identification, automatic logoff, encryption, complete audit logging, TLS transmission security.

GDPR

Key Controls: PII detection and redaction, minimal data retention, encryption by default, audit logging, security event alerting, incident response procedures.

Additional Resources