security_config.yaml

# Security Configuration for Secure AI Agents Suite
# Production-ready security settings for HuggingFace Spaces deployment

# Input Validation and Sanitization
security:
  input_validation:
    enabled: true
    max_input_length: 10000
    allowed_content_types:
      - "text/plain"
      - "application/json"
      - "text/markdown"
    blocked_patterns:
      - "<script"
      - "javascript:"
      - "data:"
      - "vbscript:"
      - "file://"
      - "eval("
      - "exec("
      - "__import__"
      - "subprocess"
      - "os.system"
    sanitization_rules:
      - remove_html_tags: true
      - escape_special_chars: true
      - normalize_unicode: true
      - strip_whitespace: true

  # Rate Limiting
  rate_limiting:
    enabled: true
    default_limit: 100  # requests per minute
    burst_limit: 20     # burst requests
    per_ip_limit: 100   # per IP per minute
    per_agent_limit: 200  # per agent type per minute
    window_size: 60     # seconds
    
  # Authentication and Authorization
  authentication:
    enabled: false  # Spaces handles basic auth
    methods:
      - "api_key"
      - "bearer_token"
    session_timeout: 3600  # seconds
    max_sessions: 1000
    
  # Content Security Policy
  content_security_policy:
    enabled: true
    default_src: ["'self'"]
    script_src: ["'self'", "'unsafe-inline'"]
    style_src: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"]
    img_src: ["'self'", "data:", "https:"]
    font_src: ["'self'", "https://fonts.gstatic.com"]
    connect_src: ["'self'", "https:", "wss:"]
    object_src: ["'none'"]
    frame_src: ["'none'"]
    base_uri: ["'self'"]
    form_action: ["'self'"]
    
  # Headers Security
  security_headers:
    enabled: true
    headers:
      X-Content-Type-Options: "nosniff"
      X-Frame-Options: "DENY"
      X-XSS-Protection: "1; mode=block"
      Referrer-Policy: "strict-origin-when-cross-origin"
      Content-Security-Policy: "see_above"
      Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"
      Permissions-Policy: "camera=(), microphone=(), geolocation=()"
      
  # Data Privacy
  data_privacy:
    enabled: true
    gdpr_compliance: true
    data_retention_days: 30
    anonymize_logs: true
    encrypt_sensitive_data: true
    data_minimization: true
    
    # Data types and handling
    data_handling:
      user_input:
        retention: "session_only"
        encryption: false
        anonymization: true
      context_data:
        retention: "session_only"
        encryption: true
        anonymization: false
      performance_metrics:
        retention: "7_days"
        encryption: true
        anonymization: true
      error_logs:
        retention: "30_days"
        encryption: false
        anonymization: true
        
  # Audit and Logging
  audit:
    enabled: true
    log_level: "INFO"
    log_sensitive_data: false
    log_user_agents: true
    log_ip_addresses: false  # Privacy compliance
    
    # Audit events to track
    events:
      - "user_request"
      - "authentication_failure"
      - "rate_limit_exceeded"
      - "input_validation_failure"
      - "agent_execution"
      - "system_error"
      
  # Content Filtering
  content_filtering:
    enabled: true
    filter_categories:
      - "malware"
      - "phishing"
      - "adult_content"
      - "violence"
      - "illegal_content"
    custom_filters:
      - pattern: "bank.*account"
        action: "sanitize"
      - pattern: "credit.*card"
        action: "block"
        severity: "high"
        
  # Injection Prevention
  injection_prevention:
    enabled: true
    sql_injection: true
    xss_injection: true
    command_injection: true
    path_traversal: true
    ldap_injection: true
    
  # Secure File Handling
  file_handling:
    max_file_size: "10MB"
    allowed_extensions:
      - ".txt"
      - ".json"
      - ".csv"
      - ".md"
    scan_for_malware: true
    quarantine_suspicious: true
    
  # Network Security
  network:
    allowed_domains:
      - "huggingface.co"
      - "*.huggingface.co"
      - "localhost"
      - "127.0.0.1"
    blocked_domains:
      - "*.onion"
      - "127.0.0.0/8"
      - "10.0.0.0/8"
      - "172.16.0.0/12"
      - "192.168.0.0/16"
    timeout_settings:
      connection_timeout: 30
      read_timeout: 60
      total_timeout: 300
      
  # Threat Detection
  threat_detection:
    enabled: true
    behavioral_analysis: true
    anomaly_detection: true
    ml_based_detection: false  # For privacy, disabled by default
    
    # Suspicious patterns
    suspicious_patterns:
      - pattern: "大量请求"
        threshold: 50
        timeframe: 300  # seconds
        action: "throttle"
      - pattern: "rapid_fire_requests"
        threshold: 20
        timeframe: 60
        action: "block"
      - pattern: "unusual_user_agent"
        threshold: 1
        action: "flag"
        
  # Compliance
  compliance:
    gdpr: true
    ccpa: true
    hipaa: false  # Enable only if handling medical data
    sox: false   # Enable only if in financial sector
    
  # Incident Response
  incident_response:
    enabled: true
    auto_block_malicious: true
    notify_admins: true
    log_incidents: true
    
    # Incident severity levels
    severity_levels:
      low:
        threshold: 1
        action: "log"
      medium:
        threshold: 3
        action: "throttle"
      high:
        threshold: 5
        action: "block"
      critical:
        threshold: 10
        action: "emergency_block"
        
  # API Security
  api_security:
    enabled: true
    require_api_key: false  # Set to true for production
    api_key_rotation_days: 90
    allowed_api_methods: ["GET", "POST"]
    max_request_size: "1MB"
    
  # Session Management
  session_management:
    enabled: true
    secure_cookies: true
    http_only: true
    same_site: "strict"
    session_fixation_protection: true
    
  # Vulnerability Management
  vulnerability_management:
    enabled: true
    auto_update_dependencies: true
    security_scan_frequency: "daily"
    dependency_check: true
    
  # Backup Security
  backup_security:
    enabled: true
    encrypt_backups: true
    backup_retention: "30_days"
    secure_backup_location: true
    access_controls: "admin_only"
    
  # Monitoring and Alerting
  monitoring:
    security_monitoring: true
    real_time_alerts: true
    alert_channels:
      - "log"
      - "email"  # Configure email settings
    alert_thresholds:
      failed_logins: 5
      suspicious_requests: 100
      error_rate: 10  # percentage
      
# Environment-specific overrides
environments:
  development:
    security_level: "low"
    audit_enabled: false
    rate_limiting: false
    content_filtering: false
    
  staging:
    security_level: "medium"
    audit_enabled: true
    rate_limiting: true
    content_filtering: true
    
  production:
    security_level: "high"
    audit_enabled: true
    rate_limiting: true
    content_filtering: true
    threat_detection: true
    incident_response: true
    
# Integration with Spaces
spaces_integration:
  token_validation: true
  space_access_control: true
  hf_transfer_security: true
  model_hub_validation: true
  
# Emergency Procedures
emergency_procedures:
  emergency_stop:
    enabled: true
    trigger_conditions:
      - "critical_security_threat"
      - "data_breach_detection"
      - "system_compromise"
      
  disaster_recovery:
    enabled: true
    backup_frequency: "daily"
    recovery_time_objective: 4  # hours
    recovery_point_objective: 1  # hour