Security at Autoflowly

Autoflowly is built with security at every layer — from infrastructure to application code to AI agent execution. Every app and agent you create benefits from these protections automatically.

Infrastructure Security

• TLS/HTTPS everywhere — All traffic is encrypted in transit with TLS 1.2+ and HSTS headers
• Kubernetes isolation — Each deployed MVP and agent runs in its own isolated pod with resource limits
• Private container registry — Docker images are stored in a private GitHub Container Registry (GHCR) with authentication
• Firewall & network policies — Kubernetes NetworkPolicies restrict inter-pod communication to only what's necessary
• Automated certificate management — Let's Encrypt certificates are auto-renewed via cert-manager

Application Security

• Authentication — JWT-based auth with secure token rotation, bcrypt password hashing, and Google OAuth support
• Authorization — Role-based access control (RBAC) with owner/editor/viewer roles for shared MVPs
• Input validation — All user inputs validated with Pydantic schemas and parameterized database queries
• Rate limiting — API rate limiting protects against abuse and brute-force attacks
• CORS policies — Strict Cross-Origin Resource Sharing headers prevent unauthorized API access
• Security headers — X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and Referrer-Policy headers on all responses

Data Protection

• Encryption at rest — PostgreSQL database with encrypted storage volumes
• Secret management — All credentials stored in Kubernetes Secrets, never in code or environment files
• OAuth token encryption — Agent connector OAuth tokens are encrypted before storage
• No plaintext passwords — bcrypt hashing for all user passwords with configurable rounds
• GDPR compliant — Users can request data export and deletion at any time

AI Agent Security

• Sandboxed execution — AI agents run in isolated containers with no host system access
• SSRF protection — Built-in blocking of private IP ranges and internal hostnames in agent web requests
• Recursion limits — Multi-agent delegation is capped at depth 3 to prevent infinite loops
• Token-gated introspection — Dashboard introspection APIs require HMAC-SHA256 signed tokens
• Scoped permissions — Public agents receive limited tools; full toolset requires owner authentication

CI/CD & Development

• Automated security scanning — Dependabot alerts and automated vulnerability scanning on every push
• Code review — All changes to main branch go through pull request review
• Environment separation — Strict dev/staging/production isolation with separate credentials per environment
• No secrets in code — GitHub Secrets for all sensitive configuration; .env files are .gitignored

Responsible Disclosure

If you discover a security vulnerability in Autoflowly, please report it responsibly. We appreciate your help keeping our platform and users safe.