Fynx is designed with security as a core principle:
- Ed25519 Signatures - All packs are cryptographically signed
- Input Validation - Strict validation on all inputs
- No Code Execution - Rules are declarative, never executed
- Memory Safe - Written in Go with no unsafe operations
- Audit Trail - Full version tracking for compliance
./bin/fynx keygen --out keys/productionThis generates:
production.key- Private key (Ed25519, 64 bytes)production.pub- Public key (Ed25519, 32 bytes)
DO:
- Store private keys in secure secret management (Vault, AWS Secrets Manager, etc.)
- Use separate keys for development and production
- Rotate keys periodically
- Restrict access to private keys
DON'T:
- Commit private keys to version control
- Share private keys over insecure channels
- Use the same key across environments
- Leave private keys on build servers
Enable signature verification in production:
FYNX_PUBLIC_KEY=/keys/fynx.pub ./bin/fynx-serverUnsigned or tampered packs will be rejected.
Configure API authentication:
FYNX_AUTH_REQUIRED=true
FYNX_AUTH_TOKENS="key1,key2,key3"| Tier | Rate Limit | Use Case |
|---|---|---|
free |
10/min | Testing |
basic |
100/min | Small apps |
pro |
1,000/min | Production |
enterprise |
10,000/min | High volume |
# Header (recommended)
curl -H "X-API-Key: your-key" http://localhost:8080/v1/classify
# Bearer token
curl -H "Authorization: Bearer your-key" http://localhost:8080/v1/classify
# Query parameter (for testing only)
curl "http://localhost:8080/v1/classify?api_key=your-key"| Limit | Default | Configurable |
|---|---|---|
| Max text length | 100KB | FYNX_MAX_TEXT_LENGTH |
| Max batch size | 100 | FYNX_MAX_BATCH_SIZE |
| Request timeout | 30s | FYNX_REQUEST_TIMEOUT |
- Empty text rejected
- Invalid JSON rejected
- Oversized payloads rejected (413)
- Invalid UTF-8 handled gracefully
- Null bytes stripped
FYNX_RATE_LIMIT=100 # requests per minute
FYNX_RATE_LIMIT_ENABLED=trueX-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1704067200
{
"code": "RATE_LIMITED",
"error": "rate limit exceeded"
}Always use TLS in production. Terminate TLS at:
- Load balancer (AWS ALB, nginx)
- Ingress controller (nginx-ingress, traefik)
- Service mesh (Istio, Linkerd)
Restrict access to:
- Port 8080 (HTTP API)
- Internal networks only for
/metrics
Add security headers via reverse proxy:
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'none'";Fynx uses RE2 regex engine which:
- Guarantees linear time complexity
- Prevents ReDoS attacks
- No backtracking
- Limited features (no backreferences)
# These will fail compilation
pattern: '(a+)+$' # Catastrophic backtracking
pattern: '(?P<n>a)\1' # BackreferenceFynx never logs:
- Full request text
- API keys
- Authentication tokens
- Response bodies
{
"level": "INFO",
"msg": "request completed",
"method": "POST",
"path": "/v1/classify",
"status": 200,
"duration_ms": 5,
"request_id": "abc123"
}| Level | Description |
|---|---|
error |
Errors only |
warn |
Warnings and errors |
info |
Standard operations |
debug |
Detailed debugging |
- No PII stored
- No user tracking
- Stateless processing
- Data not persisted
- Audit logging available
- Access controls via API keys
- Encryption in transit (TLS)
- Version tracking
Every classification includes:
- Engine version
- Pack versions
- Trace ID (if provided)
- Timestamp
Report security vulnerabilities to: security@fynx.ai
Please include:
- Description of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We follow responsible disclosure and will acknowledge within 48 hours.