> ## Documentation Index
> Fetch the complete documentation index at: https://docs.guardway.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Functionalities

> Security functionalities, best practices, and compliance considerations for Guardway Gateway.

Security features, best practices, and compliance considerations for Guardway Gateway.

## Security Architecture

Guardway Gateway implements **defense-in-depth** security with multiple layers of protection:

* **Container Security**: Hardened containers following industry best practices
* **Network Security**: TLS/HTTPS, IP allow/block lists, firewall rules
* **Application Security**: Multi-method authentication, RBAC, input validation, rate limiting
* **Data Security**: Encryption at rest and in transit, secret redaction in logs
* **Content Security**: PII detection, hate speech detection, prompt injection protection

***

## Authentication Methods

Guardway Gateway supports multiple authentication methods for different use cases:

* **Master Key**: Full administrative access for initial setup and management
* **Session Token**: Time-limited sessions for the Admin UI
* **API Key**: Application API access with quotas, budgets, and rate limits
* **Ephemeral Token**: Short-lived delegated access with configurable TTL

<Warning>
  Never commit secrets to version control. Use environment variables, secret managers, or encrypted `.env` files in production.
</Warning>

***

## Authorization (RBAC)

Role-based access control with three roles:

| Role          | Permissions                                                          |
| ------------- | -------------------------------------------------------------------- |
| **admin**     | Full access to all endpoints including user/team/provider management |
| **developer** | Access to inference endpoints, read-only management endpoints        |
| **read-only** | Read-only access to logs, metrics, and configuration                 |

***

## Secret Management

* All API keys and secrets are encrypted at rest
* Automatic secret redaction in logs (API keys, authorization headers, passwords, tokens)
* Support for key rotation through the Admin UI
* Compatible with external secrets managers (AWS Secrets Manager, HashiCorp Vault, etc.)

***

## Guardrails

<Tip>
  Built-in SLM guardrails run locally with low latency, making them suitable for real-time inference pipelines without noticeable overhead.
</Tip>

**Types**:

1. **PII Detection** - SSN, credit cards, emails, phone numbers, API keys
2. **Hate Speech Detection** - Toxic content, slurs, threats
3. **Prompt Injection Detection** - Adversarial prompt manipulation

For detailed guardrails configuration, see [Guardrails](/platform/configuration/security#guardrails).

***

## Audit Logging

Complete audit trail for all administrative and security-relevant actions:

* **User Management**: Create, update, delete users
* **Team Management**: Create, update, delete teams
* **API Key Management**: Create, rotate, delete keys
* **Provider Management**: Add, update, remove providers
* **Guardrail Changes**: Policy creation, updates, deletions
* **Configuration Changes**: Routing rules, settings updates
* **Authentication Events**: Login attempts, session creation
* **Authorization Failures**: Access denied events

***

## Production Security Checklist

<Steps>
  <Step title="Pre-Deployment">
    * [ ] Generate strong master key (32+ characters, random)
    * [ ] Configure TLS/HTTPS certificates
    * [ ] Set up secrets manager (AWS Secrets Manager, Vault, etc.)
    * [ ] Review and configure CORS origins
    * [ ] Enable audit logging
    * [ ] Configure network firewall rules
  </Step>

  <Step title="Authentication & Authorization">
    * [ ] Rotate default master key
    * [ ] Configure session timeout
    * [ ] Set up API key expiration policy
    * [ ] Enable RBAC for all users
    * [ ] Configure MCP access restrictions per key
    * [ ] Test authentication methods
  </Step>

  <Step title="Guardrails">
    * [ ] Enable PII detection for sensitive data
    * [ ] Configure hate speech detection
    * [ ] Enable prompt injection protection
    * [ ] Set up IP allow/block lists
    * [ ] Configure keyword filtering
    * [ ] Test guardrail policies
  </Step>

  <Step title="Network & Infrastructure">
    * [ ] Enable TLS/HTTPS
    * [ ] Configure reverse proxy
    * [ ] Set up Web Application Firewall (WAF)
    * [ ] Enable DDoS protection
    * [ ] Configure private networks for internal services
    * [ ] Disable unnecessary ports
  </Step>

  <Step title="Monitoring & Logging">
    * [ ] Enable audit logging
    * [ ] Set up centralized log aggregation
    * [ ] Configure security alerts
    * [ ] Enable distributed tracing
    * [ ] Set up metrics collection
    * [ ] Configure anomaly detection
  </Step>

  <Step title="Data Protection">
    * [ ] Enable encryption at rest
    * [ ] Verify TLS for data in transit
    * [ ] Configure secret rotation schedule
    * [ ] Set up database authentication
    * [ ] Test backup and recovery procedures
  </Step>

  <Step title="Compliance">
    * [ ] Document security architecture
    * [ ] Conduct security assessment
    * [ ] Perform penetration testing
    * [ ] Review data retention policies
    * [ ] Configure GDPR compliance settings (if applicable)
    * [ ] Set up SOC 2 controls (if pursuing certification)
  </Step>
</Steps>

***

## Security Best Practices

### 1. Principle of Least Privilege

Grant minimum necessary permissions to each API key. Use the `developer` role for application keys and restrict access to specific models when possible.

### 2. Defense in Depth

Implement multiple security layers: container security, network security, application security, data security, and content security.

### 3. Secret Management

<Warning>
  Never commit secrets to git, log secrets, or share secrets via email/chat. Always use a secrets manager, rotate secrets regularly, use environment variables, and encrypt at rest.
</Warning>

### 4. Incident Response Plan

1. **Detection**: Monitor logs and alerts
2. **Containment**: Disable compromised keys immediately
3. **Eradication**: Rotate secrets, patch vulnerabilities
4. **Recovery**: Restore from backups if needed
5. **Lessons Learned**: Document and improve

***

## Threat Model

<AccordionGroup>
  <Accordion title="Compromised API Key">
    **Mitigations**: Per-key budget limits, request limits, rate limiting, expiration dates, audit logging, IP restrictions.

    **Response**: Identify compromised key from logs, disable immediately, rotate, review audit logs, notify affected users.
  </Accordion>

  <Accordion title="Prompt Injection">
    **Mitigations**: Prompt injection detection guardrail, input validation, system prompt isolation, output moderation.

    **Blocked patterns include**: "Ignore previous instructions", role manipulation attempts, jailbreak patterns.
  </Accordion>

  <Accordion title="Data Exfiltration">
    **Mitigations**: PII detection and redaction, encryption at rest, TLS in transit, access logging, audit trail.
  </Accordion>

  <Accordion title="Denial of Service">
    **Mitigations**: Rate limiting, request size limits, resource limits, connection limits, timeout enforcement.
  </Accordion>
</AccordionGroup>

***

## Compliance Considerations

<CardGroup cols={2}>
  <Card icon="shield-check" title="SOC 2">
    **Key Controls**: Multi-factor authentication, RBAC, API key management with expiration, TLS encryption, audit logging, security event alerting.
  </Card>

  <Card icon="credit-card" title="PCI DSS">
    **Key Controls**: Encryption at rest, secure key management, credit card PII detection, unique user IDs, strong authentication, audit trail.
  </Card>

  <Card icon="heart-pulse" title="HIPAA">
    **Key Controls**: Access control with unique user identification, automatic logoff, encryption, complete audit logging, TLS transmission security.
  </Card>

  <Card icon="globe" title="GDPR">
    **Key Controls**: PII detection and redaction, minimal data retention, encryption by default, audit logging, security event alerting, incident response procedures.
  </Card>
</CardGroup>

***

## Additional Resources

* [OWASP Top 10](https://owasp.org/www-project-top-ten/)
* [CIS Docker Benchmark](https://www.cisecurity.org/benchmark/docker)
* [NIST 800-190: Container Security](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf)
* [Docker Security Best Practices](https://docs.docker.com/engine/security/)
* [OWASP LLM Security Top 10](https://owasp.org/www-project-top-10-for-large-language-model-applications/)
