The OpenGuardrails Platform employs multi-layered security measures to ensure system reliability and safety.
This document provides detailed guidance for secure configuration and deployment.

• UUID User ID: Uses UUIDs instead of sequential numeric IDs to prevent user enumeration attacks
• JWT Authentication: Uses JSON Web Tokens for user identity verification
• Password Hashing: Securely hashes passwords with bcrypt
• Brute-Force Protection: Implements IP and email-based login rate limiting

• API Key Authentication: Supports service-level authentication via API keys
• Rate Limiting: Prevents API abuse and DOS attacks
• CORS Configuration: Configurable Cross-Origin Resource Sharing policies

• Database Encryption: Encrypts sensitive data at rest
• Transport Encryption: Supports HTTPS for encrypted data transmission
• Audit Logging: Provides comprehensive operation tracking

# Generate a secure JWT secret
openssl rand -base64 64

# Set it in your .env file
JWT_SECRET_KEY=YOUR_GENERATED_SECURE_KEY_HERE

# Change the default admin credentials
SUPER_ADMIN_USERNAME=admin@yourdomain.com
SUPER_ADMIN_PASSWORD=YourSecurePassword123!

# Use a strong password
DATABASE_URL=postgresql://username:secure_password@localhost:5432/database

Default brute-force protection:

• Time Window: 15 minutes
• Max Attempts: 5
• Rate Limit Scope: IP address + Email address

Adjustable parameters in code:

# In utils/user.py, within the check_login_rate_limit function
time_window_minutes=15,  # Time window
max_attempts=5           # Maximum attempts

Specify allowed domains for production:

# Development environment
CORS_ORIGINS=*

# Production environment
CORS_ORIGINS=https://yourdomain.com,https://api.yourdomain.com

• Change default admin username and password
• Generate a secure JWT secret
• Set a strong database password
• Specify production CORS origins
• Disable debug mode (DEBUG=false)
• Configure proper SMTP settings

• Enable HTTPS (recommended: Let’s Encrypt)
• Configure firewall rules
• Restrict database port access
• Set up a reverse proxy (Nginx/Apache)

• Set .env file permissions to 600
• Ensure correct log directory permissions
• Limit application user privileges

• Enable access logging
• Configure error log monitoring
• Set up abnormal login alerts
• Conduct regular security reviews

Run the built-in security check tool:

cd backend
python scripts/security_check.py

The tool checks:

• JWT secret strength
• Admin account configuration
• Database security settings
• CORS configuration
• File permissions
• Debug mode status

If upgrading from an older version, run the UUID migration:

# Backup the database
cp data/guardrails.db data/guardrails.db.backup

# Run migration script
python migrations/migrate_to_uuid.py

Note: The script automatically backs up your database, but manual backups of critical data are strongly recommended.

• Check for system updates
• Review access logs
• Inspect for abnormal login attempts

• Run the security check tool
• Clean old login attempt records
• Update dependency packages

• Rotate JWT secret keys
• Audit user permissions
• Test backup and recovery

If a security issue is discovered:

1. Immediate Response: Record issue details
2. Isolate Threat: Suspend affected services
3. Impact Analysis: Assess data breach risks
4. Patch Vulnerabilities: Apply security fixes
5. Restore Services: Verify that patches work correctly
6. Postmortem Review: Improve future security controls

If you discover vulnerabilities or have security concerns, please contact:

• Email: thomas@openguardrails.com
• Project: https://github.com/openguardrails/openguardrails

• Use strong passwords (min. 12 characters, including uppercase, lowercase, numbers, and symbols)
• Change passwords regularly
• Avoid password reuse
• Consider using a password manager

• Follow the principle of least privilege
• Periodically review user permissions
• Remove inactive users promptly
• Enable two-factor authentication (if available)

• Keep the system and dependencies updated
• Regularly back up important data
• Monitor resource usage
• Configure log rotation

• Use HTTPS for secure transmission
• Apply appropriate firewall rules
• Utilize CDN and DDoS protection
• Perform regular security scans

When upgrading the system:

1. Review release notes for security-related updates
2. Test updates in a staging environment
3. Back up production data
4. Verify configuration against the security checklist
5. Run the security check tool

The platform adheres to the following security standards and best practices:

• OWASP Top 10 Web Application Security Risks
• ISO 27001 Information Security Management Standard

Disclaimer: This guide provides recommended security practices but does not guarantee absolute security. Users should tailor security policies to their specific environments and stay informed of emerging security threats.