This guide outlines practical hardening controls for CORTEXA daemon and container deployments.
flowchart TD
NET[Network boundary and TLS proxy] --> AUTH[Daemon token authentication]
AUTH --> RATE[Rate limiting]
RATE --> VALID[Input bounds and validation]
VALID --> RUNTIME[Container sandboxing]
RUNTIME --> RESP[Monitoring and incident response]
| Layer | Primary controls | Failure mode reduced |
|---|---|---|
| Edge/network | TLS proxy, ACLs, private exposure | unauthorized internet reachability |
| Identity | CORTEXA_DAEMON_TOKEN, metrics auth |
unauthenticated API access |
| Abuse control | request window and max limits | brute-force and burst overload |
| Input safety | bounded parsing and body limits | malformed/oversized payload impact |
| Runtime isolation | non-root containers, capability minimization | container breakout blast radius |
| Detection and response | logs, metrics, token rotation | slow detection and prolonged incidents |
- Set
CORTEXA_DAEMON_TOKENto a strong random secret in non-local environments. - Keep
CORTEXA_METRICS_REQUIRE_AUTH=trueso/metricsis not publicly exposed. - Avoid exposing daemon ports directly to the public internet.
Recommended minimum:
- bind daemon behind a reverse proxy with TLS
- enforce network ACLs
- rotate daemon tokens on schedule
Daemon includes built-in request rate limiting.
Controls:
CORTEXA_DAEMON_RATE_LIMIT_ENABLED(defaulttrue)CORTEXA_DAEMON_RATE_LIMIT_WINDOW_MS(default60000)CORTEXA_DAEMON_RATE_LIMIT_MAX(default240)
Tune these based on expected client concurrency and threat model.
Current protections include:
- bounded payload parsing (
toBoundedInt,toBoundedNumber,toTrimmedString) - JSON syntax handling with explicit
400responses - safe defaults for route options and limits
Recommended operator controls:
- keep
CORTEXA_DAEMON_BODY_LIMITconservative for your workload - reject unknown fields at gateway/API-proxy layers for strict schemas
- add WAF rules for abusive request patterns
Current container baseline:
- non-root runtime user in
Dockerfile - persistent data under scoped volume path
- explicit exposed ports and healthcheck
Recommended production hardening:
- run with read-only root filesystem when possible
- drop unnecessary Linux capabilities
- apply memory/CPU limits
- use seccomp/apparmor profiles
- avoid mounting host Docker socket
- Never commit real secrets into
.envor source control. - Prefer secret stores (e.g., Azure Key Vault, Vault, GH Environments, etc.).
- Ensure token values are injected at runtime, not baked into images.
- Keep
CORTEXA_MCP_ENABLE_MUTATIONS=falsefor read-only assistants. - If enabling mutation tools, isolate MCP clients per environment (dev/staging/prod).
- Audit tool-call activity through daemon structured logs and request IDs.
- Monitor:
cortexa_daemon_http_requests_totalcortexa_daemon_http_request_duration_secondscortexa_daemon_self_healing_runs_total
- Alert on sustained 401/429 spikes or abnormal self-healing
erroroutcomes. - Rotate credentials and review recent request IDs during incident triage.