Skip to content

Security: itsevin/ImageFlow-Auto

Security

docs/security.md

Security

Language: English | 简体中文

ImageFlow Auto is local-first by default. Authentication is disabled in the public template so local demos keep working immediately. If the console is exposed beyond 127.0.0.1, enable authentication first.

Local Security Files

The public repository contains safe defaults only:

  • config/security.yaml: public defaults, authentication off.
  • config/security.local.yaml: local override, git-ignored.
  • .env.local: local provider secrets, git-ignored.

Do not commit security.local.yaml, .env, .env.local, provider API keys, or runtime logs that contain provider responses.

Authentication

When authentication is enabled:

  • The first visit requires administrator password setup if no password hash is configured.
  • Passwords are stored as PBKDF2-HMAC-SHA256 hashes with per-password salts.
  • Sessions use HttpOnly cookies.
  • Mutating API requests require a CSRF token header.
  • Login attempts are rate-limited per client address.
  • Security headers disable framing, MIME sniffing, referrer leakage, and browser permissions that the console does not need.

The frontend never stores the password or session token in localStorage.

Provider Secrets

Provider connection settings are split from pricing:

  • Runtime connection settings are saved to config/providers.local.yaml.
  • API keys, model env values, and base URL env values are saved to .env.local.
  • Pricing profiles and model rates control estimates only. They do not make a provider runnable.

Deployment Notes

For local use, bind to 127.0.0.1. For a public or team-accessible deployment, put the app behind HTTPS, enable authentication, use a strong administrator password, and keep the runtime data directory private.

There aren't any published security advisories