Vaani Sahayak is an educational and demonstration project. It is not designed or audited for production-grade security. Use at your own discretion.
| Area | Detail |
|---|---|
| API Tokens | HuggingFace tokens and EI credentials are stored in .env. Never commit this file. |
| CORS | Default configuration allows localhost origins only. Restrict CORS_ORIGINS in production. |
| SSL Verification | EI_VERIFY_SSL can be set to false for development with self-signed certificates. Always enable in production. |
| Model Servers | servers/server_param1.py and servers/server_tts.py bind to 0.0.0.0 by default. Restrict to 127.0.0.1 if not serving external clients. |
| User Input | User queries are passed directly to the LLM context. Consider input sanitization for production deployments. |
If you deploy Vaani Sahayak beyond local development, you are responsible for:
- Authentication & authorization — the API has no built-in auth
- Network controls — firewall rules, VPN, or reverse proxy with TLS
- Secrets management — use a vault or secrets manager instead of
.envfiles - Monitoring — log access and anomalies
- Compliance — ensure your deployment meets applicable data protection regulations
If you discover a security vulnerability, please report it responsibly:
- Do not open a public GitHub issue
- Email security@cld2labs.com with details
- Include steps to reproduce and potential impact
- We will acknowledge receipt within 48 hours
Thank you for helping keep Vaani Sahayak safe.