Security and Authentication

Authentication

We employ API Bearer authentication to ensure that only authorized requests are processed. This mechanism verifies the identity of users and grants access based on their permissions.

API Server Configuration

The API is encapsulated in a FastAPI application configured to run under Uvicorn with Socket.IO integration for real-time capabilities. It’s designed to be scalable and performant under high-load scenarios, leveraging asynchronous server capabilities.

Security and Access Controls

• API Security: Utilizes HTTPS and API key authentication for secure data transmission.

Example API configuration in FastAPI:

from fastapi import FastAPI, APIRouter,
from tenacity import retry, stop_after_attempt, wait_exponential
from fastapi_limiter.depends import RateLimiter

@retry(wait=wait_exponential(multiplier=1, min=8, max=64), stop=stop_after_attempt(3))
@router.get(
    "/",
    dependencies=[Depends(RateLimiter(times=15, seconds=60))],
    tags=["api_v1"],
    summary="Read Main Endpoint",
)
def read_main(
    api_key: str = Depends(get_api_key),
):
    return {"msg": "Hello from FANA API V1"}

• CORS Configuration: Set through FastAPI middleware to safely allow cross-origin requests.

Example CORS configuration in FastAPI:

from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware

app = FastAPI()

app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

Cloudflare Protection

Our API is proxied by Cloudflare, ensuring that any DDoS attacks do not reach the server. Cloudflare's advanced threat mitigation capabilities protect our infrastructure from a variety of attacks, including DDoS.

Encryption

All data is protected using SSL encryption both in transit and at rest. This encryption safeguards sensitive information from interception and unauthorized access, ensuring the confidentiality and integrity of your data.

Image Storage

Our image upload endpoint leverages Azure Blob cloud storage. Azure provides an additional layer of security for image storage and processing, ensuring that your data is safe from unauthorized access and breaches.

Database Storage

We leverage Supabase to store our vector database as embeddings. Supabase is a powerful backend-as-a-service (BaaS) platform that provides a robust and secure environment for managing database storage, particularly for vector databases.

Database Security and Authentication

Supabase ensures the security of our data through multiple layers of protection. By using Postgres as the underlying database, Supabase inherits its advanced security features, including row-level security (RLS), encryption at rest, and encryption in transit.

For authentication, Supabase offers a comprehensive suite of tools to manage user access and permissions. It supports various authentication methods such as email/password, OAuth providers (e.g., Google, GitHub, GitLab, Bitbucket), and third-party authentication via JWT tokens. This flexibility allows for seamless integration with existing user management systems.

Row Level Security (RLS)

RLS is a PostgreSQL feature that allows you to define fine-grained access control policies for rows in a table. Row-Level Encryption provides a robust security framework that combines Row Level Security (RLS) with encryption to protect your data. You can specify which users or roles can access specific rows based on conditions, such as column values or user attributes. Encryption: Supabase uses PostgreSQL’s Transparent Column Encryption (TCE) to encrypt data at rest. TCE encrypts columns individually, using a combination of symmetric and asymmetric encryption algorithms. This ensures that even if an attacker gains access to the encrypted data, they won’t be able to decrypt it without the corresponding encryption keys. Key Benefits:

Data Confidentiality

RLS ensures that only authorized users can access specific rows, while encryption protects the data from unauthorized access, even if an attacker gains access to the encrypted data. Granular access control: RLS allows you to define complex access policies based on row-level conditions, while encryption provides an additional layer of protection.

Compliance

Supabase’s RLS and encryption features help us meet regulatory requirements for data protection, such as SOC2, GDPR, HIPAA, and PCI-DSS. Supabase-specific features:

Vault

Supabase’s Vault is a secure storage system that manages encryption keys and secrets. It integrates with RLS to ensure that encryption keys are only accessible to authorized users. pgsodium: Supabase uses pgsodium, a PostgreSQL extension, to provide Transparent Column Encryption (TCE). This ensures that encryption is transparent to the application and only requires configuration at the database level. Example Use Cases:

Containerized Application

Each client's application operates within its own Docker container. This isolated environment minimizes risk by restricting access to the container’s resources to authorized users only. Each container handles its API authentication independently, providing tailored backend modules for client-specific interactions.

Benefits of Containerized Applications

• Isolation: Containers provide an isolated environment for each application, limiting the scope of potential security breaches to a single container rather than the entire host system.

• Consistent Environments: Containers ensure that applications run in the same environment, from development through production, reducing the risks associated with environmental inconsistencies.

• Minimalist Base: Containers can be created with only the necessary components required for the application, minimizing the attack surface.

• Immutability: Containers can be configured to be immutable, meaning once they are deployed, they cannot be changed. This prevents unauthorized modifications.

• Scalability and Manageability: Containers allow for easy management and scaling of applications, which simplifies patch management and security updates.

• Containerized Client Data: Client data is containerized and isolated, ensuring it does not mix with outside data, providing a high level of data security.

• Microservices Security: The use of containers is conducive to a microservices architecture, which allows for the segregation of services, reducing the impact of a potential compromise.

Our commitment to cybersecurity ensures that our API provides a safe and reliable environment for users to interact with. By leveraging modern frameworks, robust authentication methods, advanced cloud storage solutions, and containerized deployments, we provide a secure, scalable, and efficient API service.