Security

Security & Compliance

Chox is an AI governance proxy that sits between your AI agents and external APIs. Security is foundational to everything we build. Here's how we protect your data and API traffic.

HMAC-SHA256 TLS Enforced SSRF Protected Non-Root Container SQL Injection Safe Credential Redaction

Authentication & Token Security

HMAC-SHA256 hashed tokens, brute-force protection, replay prevention

  • All API keys and caller tokens are stored as HMAC-SHA256 hashes — never in plaintext. Raw tokens cannot be recovered from stored hashes.
  • Brute-force protection on both proxy (20 failures / 5 min) and API (15 per IP, 10 per key / 5 min) paths with automatic window expiry.
  • Replay protection requires X-Chox-Timestamp on every request — must be within a 5-minute window. Omitting the header is rejected, preventing bypass by header stripping.
  • Optional bootstrap token protects project creation with IP rate limiting (5 req/min).

Data Protection & Redaction

Automatic credential redaction, error sanitization, TLS enforcement

  • Sensitive headers (Authorization, API keys, cookies, CSRF tokens) are automatically stripped from all stored logs before persistence.
  • Request and response bodies are scanned and redacted for secrets (Stripe keys, Anthropic keys, Bearer tokens, Chox tokens) before storage.
  • Upstream error messages are classified and sanitized — internal hostnames, IPs, and stack traces are never exposed to callers.
  • TLS is enforced in production — the server refuses to start if the database connection uses sslmode=disable in production or staging environments.

Content Security Pipeline

Secret detection, PII scanning, keyword deny, URL policy gates

  • Secret Detection Gate scans all write/delete request bodies for API keys across providers (OpenAI, Stripe, AWS, Slack, GitHub, Anthropic), JWTs, and private keys.
  • PII Detection Gate (opt-in) identifies emails, phone numbers, SSNs, and credit card numbers using pattern matching.
  • Advanced text normalization defeats evasion: iterative URL decoding (up to 5 layers), zero-width character stripping, and Unicode NFKC normalization.
  • Keyword Deny Gate uses word-boundary regex matching with a cached pattern pool. URL Policy Gate enforces domain-level allow/deny lists with subdomain support.

SSRF Protection (3 Layers)

Integration validation, runtime host checks, atomic DNS+IP pinning

  • Layer 1 — Integration creation: HTTPS-only, blocks all RFC 1918 private ranges, loopback, link-local, and cloud metadata endpoints (AWS, Azure). DNS resolution verifies resolved IPs aren't private.
  • Layer 2 — Request time: Every proxied request re-validates the destination host. Blocks localhost, *.internal, *.local, and known metadata hostnames.
  • Layer 3 — Connection time: Custom dialer performs atomic DNS resolution + IP validation to prevent DNS rebinding (TOCTOU). Every resolved IP is checked before the TCP connection is established.
  • Private IP detection covers: IPv4/IPv6 loopback, link-local, RFC 1918, RFC 4193, AWS metadata (169.254.169.254), and Azure metadata (169.254.169.253).

Transport & Header Security

HSTS, CSP, CORS lockdown, request/response header filtering

  • Strict-Transport-Security with max-age of 2 years and includeSubDomains. HTTPS is forced at the infrastructure level.
  • Content-Security-Policy restricts scripts, styles, and connections. X-Frame-Options: DENY prevents clickjacking. X-Content-Type-Options: nosniff prevents MIME sniffing.
  • Permissions-Policy disables camera, microphone, and geolocation. Referrer-Policy set to strict-origin-when-cross-origin.
  • Request headers use a strict whitelist — only known-safe headers are forwarded upstream. Response headers use a blocklist — upstream cannot override Set-Cookie, CORS, CSP, or HSTS headers.
  • CORS is locked down by default (empty origin list). Requires explicit configuration to enable cross-origin access.

Database Security

Parameterized queries, CHECK constraints, connection pooling, query timeouts

  • 100% parameterized queries across the entire codebase — zero string concatenation in SQL. All queries use positional placeholders.
  • Database CHECK constraints enforce valid enum values for dispute status, content rule types, integration types, and policy modes — preventing invalid state even via direct DB access.
  • SQL comment stripping protects against comment-based injection bypass while preserving string literals with proper quote escaping.
  • Connection pooling with configurable limits and 5-minute max connection lifetime. 15-second query timeout prevents runaway queries.

Rate Limiting & Resource Protection

Per-project token bucket, memory caps, body size limits

  • Per-project token bucket rate limiting with configurable requests-per-second and burst capacity. Idle buckets are cleaned up after 10 minutes.
  • Memory exhaustion defenses: auth failure tracker capped at 50K entries, keyword pattern cache at 1K (FIFO eviction), project cache at 10K (LRU eviction).
  • Request body limits: 10MB for proxy path, 1MB for API endpoints. Response bodies truncated to 64KB for logging.
  • Connection limits enforced at infrastructure level: 200 soft / 250 hard concurrent connections.

Audit Trail & Logging

Full request/response logging, correlation IDs, async back-pressure

  • Every proxied request is logged with full request/response headers and bodies (redacted and truncated). Includes action type, risk score, shadow verdict, and fingerprint.
  • Server-generated correlation IDs (UUID) on every request — never trusts client-provided IDs.
  • Async logging with configurable back-pressure: entries buffered (up to 10K), batch-written (50 entries or 100ms interval). Graceful shutdown drains remaining logs.
  • AI training signals (secret_detected, pii_detected, financial_above_10k, destructive_sql, etc.) stored as structured JSON for future ML-based policy enforcement.

Infrastructure & Deployment

Non-root Docker, multi-stage build, Alpine minimal image, static binary

  • Multi-stage Docker build: separate frontend compilation (Node.js), Go binary build, and minimal Alpine 3.19 runtime image.
  • Runs as non-root user (UID 1000) inside the container. Static Go binary with CGO_ENABLED=0 — no dynamic linking attack surface.
  • HTTPS forced at infrastructure level. Health checks every 10 seconds with 2-second timeout.
  • Secrets loaded exclusively from environment variables — nothing hardcoded. HMAC key initialized once at startup.

Questions about our security practices?

admin@chox.ai