Skip to content

Security: clay-good/proxilion-grc

Security

docs/SECURITY.md

Security Policy

Security Best Practices

When deploying Proxilion, we recommend:

1. Network Security

  • Deploy behind a firewall
  • Use TLS/SSL for all connections
  • Implement network segmentation
  • Use VPN for remote access
  • Enable DDoS protection

2. Access Control

  • Use strong authentication (OAuth, SAML, OIDC)
  • Implement least privilege access
  • Enable multi-factor authentication
  • Rotate API keys regularly
  • Use short-lived tokens

3. Configuration

  • Never commit secrets to version control
  • Use environment variables for sensitive data
  • Enable audit logging
  • Set appropriate rate limits
  • Configure CORS properly

4. Monitoring

  • Enable real-time monitoring
  • Set up security alerts
  • Review audit logs regularly
  • Monitor for anomalies
  • Track failed authentication attempts

5. Updates

  • Keep Proxilion updated to the latest version
  • Subscribe to security advisories
  • Test updates in staging before production
  • Have a rollback plan

6. Data Protection

  • Enable PII masking in logs
  • Encrypt data at rest and in transit
  • Implement data retention policies
  • Regular security audits
  • Backup critical data

Security Features

Proxilion includes built-in security features:

Threat Detection

  • PII detection and redaction
  • Prompt injection prevention
  • Toxicity and harm detection
  • Data loss prevention (DLP)
  • Compliance validation

Access Control

  • API key authentication
  • JWT token validation
  • OAuth/OIDC integration
  • Role-based access control (RBAC)
  • Tenant isolation

Audit & Compliance

  • Complete audit trail
  • Structured logging
  • Compliance reporting (GDPR, HIPAA, PCI DSS, SOC 2)
  • Security event forwarding to SIEM
  • Anomaly detection

Infrastructure Security

  • Rate limiting
  • Circuit breakers
  • Request validation
  • Input sanitization
  • Output encoding

Known Security Considerations

1. Secrets Management

Proxilion requires API keys for AI providers. These should be:

  • Stored in secure secret management systems (e.g., HashiCorp Vault, AWS Secrets Manager)
  • Never committed to version control
  • Rotated regularly
  • Scoped with minimum required permissions

2. PII Handling

While Proxilion detects and masks PII:

  • Some PII may still pass through before detection
  • Configure appropriate retention policies
  • Ensure compliance with data protection regulations
  • Implement additional encryption for sensitive data

3. AI Provider Security

Proxilion proxies requests to AI providers:

  • Ensure AI provider accounts are secure
  • Monitor for unusual usage patterns
  • Set budget limits to prevent abuse
  • Review AI provider security policies

4. Deployment Security

When deploying Proxilion:

  • Use secure deployment platforms (Cloudflare Workers, AWS, GCP, Azure)
  • Enable platform-specific security features
  • Implement network isolation
  • Use managed services for databases and caching

Security Audits

Proxilion undergoes regular security reviews:

  • Code Reviews: All code changes are reviewed
  • Dependency Scanning: Automated vulnerability scanning
  • Static Analysis: TypeScript strict mode, ESLint security rules
  • Dynamic Testing: 739 comprehensive tests including security scenarios
  • Penetration Testing: Recommended for production deployments

Compliance

Proxilion helps organizations comply with:

  • GDPR: Data protection and privacy
  • HIPAA: Healthcare data security
  • PCI DSS: Payment card data protection
  • SOC 2: Security, availability, confidentiality
  • ISO 27001: Information security management

There aren’t any published security advisories