Skip to main content
This guide covers security best practices for hardening Enclave deployments in production environments.

Security Checklist

Critical

  • Use STRICT security level for untrusted code
  • Enable AI Scoring Gate
  • Set memory limits
  • Configure timeouts
  • Validate all tool inputs
  • Run as non-root user
  • Enable end-to-end encryption
  • Implement rate limiting
  • Use network segmentation
  • Enable audit logging
  • Set up intrusion detection
  • Regular security updates

Security Levels

Always use the appropriate security level:

Defense in Depth

Layer 1: Input Validation

Validate code before it reaches Enclave:

Layer 2: Pre-Scanner

Block obvious attacks early:

Layer 3: AST Validation

Strict AST validation:

Layer 4: AI Scoring Gate

Detect suspicious semantic patterns:

Layer 5: Runtime Isolation

Maximum runtime isolation:

Layer 6: Output Sanitization

Sanitize all outputs:

Tool Security

Input Validation

Always validate tool inputs:

Permission Control

Implement tool permissions per user:

Data Filtering

Filter sensitive data from tool responses:

Network Security

Isolation

Run Enclave in isolated network:

TLS Configuration

End-to-End Encryption

Enable E2E encryption for sensitive data:

Rate Limiting

Per-User Limits

Per-Tool Limits

Audit Logging

Comprehensive Logging

Log Retention

Container Security

Dockerfile Best Practices

Security Context

Secrets Management

Environment Variables

Never hardcode secrets:

Kubernetes Secrets

Incident Response

Detection

Monitor for anomalies:

Response Plan

  1. Detect - Automated monitoring alerts
  2. Contain - Isolate affected components
  3. Investigate - Review audit logs
  4. Remediate - Fix vulnerability
  5. Recover - Restore normal operation
  6. Learn - Post-incident review