Security Best Practices
Ensure your CCProxy deployment is secure with these comprehensive security guidelines and best practices.
Security Overview
CCProxy implements multiple layers of security:
- API key management and rotation
- Request validation and sanitization
- Rate limiting and DDoS protection
- IP whitelisting/blacklisting
- Audit logging and monitoring
- Secure communication (TLS)
Authentication and Authorization
API Key Management
Never expose API keys in code or logs:
bash
# Good: Use environment variables
export ANTHROPIC_API_KEY="sk-ant-..."
export OPENAI_API_KEY="sk-..."
# Bad: Never hardcode keys
apiKey := "sk-ant-123..." # NEVER DO THISAPI Key Rotation
Implement regular key rotation:
yaml
# config.yaml
security:
api_keys:
rotation_period: "30d"
notification_before: "7d"
# Multiple keys for zero-downtime rotation
keys:
- id: "key-1"
key: "${API_KEY_1}"
expires: "2025-12-31"
- id: "key-2"
key: "${API_KEY_2}"
expires: "2026-01-31"Authentication Middleware
Configure authentication:
yaml
security:
auth:
enabled: true
type: "api_key" # or "jwt", "oauth2"
# API key authentication
api_keys:
- key: "${CCPROXY_APIKEY}"
name: "production"
rate_limit: 10000
allowed_ips:
- "10.0.0.0/8"
- "172.16.0.0/12"Network Security
TLS Configuration
Always use TLS in production:
yaml
server:
tls:
enabled: true
cert_file: "/etc/ccproxy/tls/cert.pem"
key_file: "/etc/ccproxy/tls/key.pem"
min_version: "1.2"
cipher_suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256Generate certificates:
bash
# Self-signed for development
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout key.pem -out cert.pem
# Let's Encrypt for production
certbot certonly --standalone -d ccproxy.yourdomain.comIP Restrictions
Implement IP-based access control:
yaml
security:
ip_whitelist:
enabled: true
ips:
- "10.0.0.0/8" # Internal network
- "172.16.0.0/12" # Docker networks
- "192.168.1.0/24" # Office network
ip_blacklist:
enabled: true
ips:
- "1.2.3.4" # Known bad actor
auto_block:
enabled: true
threshold: 100 # Requests per minute
duration: "1h" # Block durationFirewall Configuration
bash
# UFW example
ufw default deny incoming
ufw default allow outgoing
ufw allow from 10.0.0.0/8 to any port 8080
ufw allow 22/tcp # SSH
ufw enable
# iptables example
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROPInput Validation
Request Validation
Validate all incoming requests:
yaml
security:
request_validation:
enabled: true
max_tokens: 100000 # Maximum tokens allowed
max_messages: 100 # Maximum conversation length
max_message_length: 50000 # Maximum single message length
# Block suspicious patterns
blocked_patterns:
- "(?i)api[_-]?key" # API key patterns
- "(?i)password" # Password patterns
- "<script" # XSS attemptsContent Filtering
go
// Sanitize user input
func sanitizeInput(input string) string {
// Remove control characters
input = strings.Map(func(r rune) rune {
if r < 32 && r != '\n' && r != '\t' {
return -1
}
return r
}, input)
// Limit length
if len(input) > maxLength {
input = input[:maxLength]
}
return input
}Rate Limiting
Configure Rate Limits
Protect against abuse:
yaml
security:
rate_limiting:
enabled: true
# Global limits
global:
requests_per_minute: 6000
requests_per_hour: 100000
burst: 100
# Per-IP limits
per_ip:
requests_per_minute: 60
requests_per_hour: 1000
burst: 10
# Per-API key limits
per_key:
default:
requests_per_minute: 100
daily_quota: 10000
premium:
requests_per_minute: 1000
daily_quota: 100000DDoS Protection
yaml
security:
ddos_protection:
enabled: true
# Connection limits
max_connections: 10000
max_connections_per_ip: 100
# Request limits
max_request_size: 10485760 # 10MB
max_header_size: 8192 # 8KB
# Slow request protection
read_timeout: "30s"
header_timeout: "10s"Data Protection
Sensitive Data Handling
Never log sensitive information:
go
// Good: Mask sensitive data
logger.Info("API request",
"api_key", maskAPIKey(apiKey), // sk-ant-xxx...xxx
"user_id", userID,
)
// Bad: Never log full API keys
logger.Info("API request", "api_key", apiKey) // NEVER DO THISResponse Sanitization
yaml
security:
response_sanitization:
enabled: true
remove_system_prompts: true
mask_api_keys: true
mask_emails: true
mask_phone_numbers: true
# Custom patterns to mask
mask_patterns:
- name: "credit_card"
pattern: '\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b'
replacement: "XXXX-XXXX-XXXX-XXXX"Audit Logging
Configure Audit Logs
Track all security events:
yaml
security:
audit:
enabled: true
# What to log
events:
- authentication_success
- authentication_failure
- rate_limit_exceeded
- invalid_request
- configuration_change
- api_key_rotation
# Where to log
outputs:
- type: file
path: "/var/log/ccproxy/audit.log"
rotation: "daily"
retention: "90d"
- type: syslog
host: "syslog.internal"
port: 514
protocol: "tcp"Log Format
json
{
"timestamp": "2025-01-20T10:30:45Z",
"event": "authentication_failure",
"severity": "warning",
"user_id": "user-123",
"ip_address": "192.168.1.100",
"api_key_id": "key-1",
"reason": "invalid_api_key",
"request_id": "req-abc123"
}Secure Deployment
Docker Security
dockerfile
# Use minimal base image
FROM golang:1.21-alpine AS builder
# Build stage...
FROM alpine:latest
RUN apk --no-cache add ca-certificates
# Create non-root user
RUN addgroup -g 1000 ccproxy && \
adduser -D -s /bin/sh -u 1000 -G ccproxy ccproxy
# Copy binary
COPY --from=builder /app/ccproxy /usr/local/bin/
RUN chmod +x /usr/local/bin/ccproxy
# Use non-root user
USER ccproxy
# Security headers
ENV SECURITY_HEADERS="true"
EXPOSE 8080
ENTRYPOINT ["ccproxy"]Kubernetes Security
yaml
apiVersion: v1
kind: Pod
metadata:
name: ccproxy
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: ccproxy
image: ccproxy:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
resources:
limits:
memory: "1Gi"
cpu: "1000m"
requests:
memory: "256Mi"
cpu: "100m"Security Headers
Configure security headers:
yaml
server:
security_headers:
enabled: true
headers:
X-Content-Type-Options: "nosniff"
X-Frame-Options: "DENY"
X-XSS-Protection: "1; mode=block"
Strict-Transport-Security: "max-age=31536000; includeSubDomains"
Content-Security-Policy: "default-src 'self'"
Referrer-Policy: "strict-origin-when-cross-origin"Vulnerability Management
Dependency Scanning
Regular security updates:
bash
# Check for vulnerabilities
go list -json -m all | nancy sleuth
# Update dependencies
go get -u ./...
go mod tidy
# Audit dependencies
go mod auditContainer Scanning
bash
# Scan Docker images
trivy image ccproxy:latest
# Scan with Snyk
snyk container test ccproxy:latestIncident Response
Security Monitoring
Monitor for security events:
yaml
monitoring:
security_alerts:
- name: "multiple_auth_failures"
condition: "auth_failures > 10 in 5m"
action: "alert"
- name: "rate_limit_abuse"
condition: "rate_limit_exceeded > 100 in 1m"
action: "block_ip"
- name: "suspicious_pattern"
condition: "sql_injection_attempt"
action: "alert_and_block"Emergency Response
Quick actions for security incidents:
bash
# Block suspicious IP immediately
ccproxy security block-ip 1.2.3.4
# Rotate compromised API key
ccproxy security rotate-key --key-id key-1
# Enable emergency mode (strict security)
ccproxy security emergency --enableSecurity Checklist
Pre-deployment
- [ ] All API keys in environment variables
- [ ] TLS enabled and configured
- [ ] Authentication enabled
- [ ] Rate limiting configured
- [ ] IP restrictions set up
- [ ] Audit logging enabled
- [ ] Security headers configured
- [ ] Non-root user in containers
- [ ] Dependencies scanned
- [ ] Penetration testing completed
Operational
- [ ] Regular key rotation schedule
- [ ] Security monitoring active
- [ ] Incident response plan ready
- [ ] Regular security audits
- [ ] Dependency updates scheduled
- [ ] Backup encryption enabled
- [ ] Access logs reviewed
- [ ] Firewall rules up to date
- [ ] Security training completed
- [ ] Compliance requirements met
Compliance
GDPR Compliance
yaml
privacy:
gdpr:
enabled: true
data_retention: "90d"
anonymize_logs: true
right_to_deletion: true
data_portability: trueHIPAA Compliance
yaml
privacy:
hipaa:
enabled: true
encryption_at_rest: true
encryption_in_transit: true
access_controls: "strict"
audit_logs: "comprehensive"Next Steps
- Monitoring Guide - Set up security monitoring
- Development Setup - Secure development practices
- Contributing Guide - Security guidelines for contributors