ContextQMD
Back to Genai Toolbox

Production Security Warning

.hugo/layouts/shortcodes/production-security-warning.html

1.2.01.1 KB
Original Source

⚠️ Production Security Warning

Secure your deployment: By default, Toolbox uses HTTP and runs on all hosts (--allowed-hosts) and all origins (--allowed-origins). While convenient, this is insecure and could expose you to unauthorized access of your toolbox instances. Please review the example under reference/cli to secure your instances.

Note: The server issues a warning in the logs if these are set to the wildcard *.

  • Prevent DNS Rebinding: Use the --allowed-hosts flag to specify a list of hosts for validation. Example: command: ["--config", "/config/tools.yaml", "--address", "0.0.0.0", "--allowed-hosts", "localhost:5000"]
  • Implement CORS: Use the --allowed-origins flag to specify a list of origins permitted to access the server. Example: command: ["--config", "/config/tools.yaml", "--address", "0.0.0.0", "--allowed-origins", "https://foo.bar"]
  • Enable HTTPS: Use the --tls-cert and --tls-key flags to secure your connection. Example: command: ["--config", "/config/tools.yaml", "--address", "0.0.0.0", "--tls-cert", "cert.pem", "--tls-key", "key.pem"]