Security Best Practices

Security is a critical consideration when building applications with Infactory, especially when handling sensitive data. This guide covers essential security practices to protect your data, user information, and application integrity.

Understanding the Infactory Security Model

Infactory is designed with security in mind, providing:

  1. Data Privacy: Your data remains in your database; Infactory executes queries without storing your actual data
  2. Secure Connections: All connections between Infactory and your data sources use encrypted protocols
  3. API Key Authentication: Access to Infactory APIs is controlled via secure API keys
  4. Permission Controls: Fine-grained permissions can be applied at different levels

API Key Management

Best Practices for API Keys

Use Environment Variables

Never hardcode API keys in your application code

Rotate Keys Regularly

Periodically rotate API keys to limit risk exposure

Principle of Least Privilege

Create keys with only the permissions needed for specific functions

Monitor Key Usage

Track and audit API key usage to detect unauthorized access

Implementing API Key Storage

Backend Applications

For server-side applications, store API keys securely:

// Node.js example using dotenv for environment variables
require('dotenv').config();

const infactoryApiKey = process.env.INFACTORY_API_KEY;
const infactoryProjectId = process.env.INFACTORY_PROJECT_ID;

// Use the keys for API requests
async function queryInfactory(question) {
  const response = await fetch('https://api.infactory.ai/v1/query', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'Authorization': `Bearer ${infactoryApiKey}`
    },
    body: JSON.stringify({
      query: question,
      project_id: infactoryProjectId
    })
  });
  
  return await response.json();
}

CI/CD Environments

For CI/CD pipelines, use secure environment variables:

# GitHub Actions workflow example
name: Deploy Application

on:
  push:
    branches: [ main ]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      
      - name: Build and test
        env:
          INFACTORY_API_KEY: ${{ secrets.INFACTORY_API_KEY }}
          INFACTORY_PROJECT_ID: ${{ secrets.INFACTORY_PROJECT_ID }}
        run: |
          npm install
          npm test
          npm run build

Secure Data Access Patterns

Backend Proxy Pattern

Never expose your Infactory API keys to client-side code. Instead, implement a backend proxy:

// Express.js backend proxy example
const express = require('express');
const axios = require('axios');
const rateLimit = require('express-rate-limit');
const router = express.Router();

// Environment variables
const INFACTORY_API_KEY = process.env.INFACTORY_API_KEY;
const INFACTORY_PROJECT_ID = process.env.INFACTORY_PROJECT_ID;

// Rate limiting to prevent abuse
const apiLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // limit each IP to 100 requests per windowMs
  message: 'Too many requests from this IP, please try again later'
});

// Apply rate limiting to all routes in this router
router.use(apiLimiter);

// Proxy endpoint
router.post('/api/query', async (req, res) => {
  try {
    // Extract question from request
    const { question } = req.body;
    
    if (!question) {
      return res.status(400).json({ error: 'Question is required' });
    }
    
    // Validate user permissions (example - implement your own logic)
    if (!hasQueryPermission(req.user)) {
      return res.status(403).json({ error: 'Insufficient permissions' });
    }
    
    // Call Infactory API
    const response = await axios.post(
      'https://api.infactory.ai/v1/query',
      {
        query: question,
        project_id: INFACTORY_PROJECT_ID
      },
      {
        headers: {
          'Content-Type': 'application/json',
          'Authorization': `Bearer ${INFACTORY_API_KEY}`
        }
      }
    );
    
    // Return the response to the client
    res.json(response.data);
  } catch (error) {
    console.error('Error proxying to Infactory:', error.response?.data || error.message);
    
    // Return an appropriate error without leaking sensitive details
    res.status(500).json({
      error: 'Failed to process query',
      message: error.response?.data?.error || 'Unknown error'
    });
  }
});

// Helper function to check permissions
function hasQueryPermission(user) {
  // Implement your permission logic here
  return user && user.permissions && user.permissions.includes('query:execute');
}

module.exports = router;

User Authentication

Implement robust user authentication to control access to your application:

1

Implement Authentication

Use a trusted authentication service or framework, such as Auth0, AWS Cognito, or Firebase Authentication.

// Auth0 Integration Example (Express.js)
const express = require('express');
const { auth } = require('express-oauth2-jwt-bearer');

const app = express();

// Configure authentication middleware
const checkJwt = auth({
  audience: 'https://your-api-identifier',
  issuerBaseURL: 'https://your-domain.auth0.com/',
});

// Protected route
app.post('/api/query', checkJwt, async (req, res) => {
  // User is authenticated, proceed with the Infactory query
  // req.auth contains the decoded JWT payload
  
  // Your query code goes here
});
2

Implement Authorization

Add role-based or attribute-based access control to limit what data users can access.

// Example middleware for checking permissions
function checkPermission(permission) {
  return (req, res, next) => {
    // Extract user permissions from the authenticated user
    const userPermissions = req.auth.permissions || [];
    
    if (userPermissions.includes(permission)) {
      return next();
    }
    
    return res.status(403).json({
      error: 'Insufficient permissions'
    });
  };
}

// Usage in route
app.post('/api/query', 
  checkJwt, 
  checkPermission('data:read'), 
  async (req, res) => {
    // User is authenticated and authorized
    // Proceed with the query
  }
);
3

Implement User Context

Pass user context to Infactory queries to enable data filtering based on user.

// Example of adding user context to queries
app.post('/api/query', checkJwt, async (req, res) => {
  try {
    const { question } = req.body;
    const userId = req.auth.sub;
    
    // Call Infactory API with user context
    const response = await axios.post(
      'https://api.infactory.ai/v1/query',
      {
        query: question,
        project_id: INFACTORY_PROJECT_ID,
        context: {
          user_id: userId,
          user_role: getUserRole(req.auth)
        }
      },
      {
        headers: {
          'Content-Type': 'application/json',
          'Authorization': `Bearer ${INFACTORY_API_KEY}`
        }
      }
    );
    
    res.json(response.data);
  } catch (error) {
    // Error handling
  }
});

function getUserRole(auth) {
  // Extract user role from auth object
  return auth.roles[0] || 'user';
}

Data Protection

Query Parameter Validation

Always validate query parameters to prevent injection attacks:

// JavaScript validation example
function validateQueryParams(params) {
  const errors = [];
  
  // Check for required parameters
  if (!params.question || typeof params.question !== 'string' || params.question.trim() === '') {
    errors.push('Question is required and must be a non-empty string');
  }
  
  // Validate string length to prevent overly long queries
  if (params.question && params.question.length > 500) {
    errors.push('Question exceeds maximum length of 500 characters');
  }
  
  // Sanitize inputs (example - implement appropriate sanitization for your use case)
  if (params.question) {
    params.question = sanitizeInput(params.question);
  }
  
  return {
    isValid: errors.length === 0,
    errors,
    sanitizedParams: params
  };
}

function sanitizeInput(input) {
  // Implement appropriate sanitization for your use case
  // Example: remove potential SQL injection patterns
  return input
    .replace(/(\b|'|"|`)DROP(\b|'|"|`)/gi, '')
    .replace(/(\b|'|"|`)DELETE(\b|'|"|`)/gi, '')
    .replace(/(\b|'|"|`)UPDATE(\b|'|"|`)/gi, '')
    .replace(/(\b|'|"|`)INSERT(\b|'|"|`)/gi, '')
    .replace(/(\b|'|"|`)CREATE(\b|'|"|`)/gi, '')
    .replace(/(\b|'|"|`)ALTER(\b|'|"|`)/gi, '');
}

// Usage example
app.post('/api/query', (req, res) => {
  const validation = validateQueryParams(req.body);
  
  if (!validation.isValid) {
    return res.status(400).json({
      error: 'Invalid parameters',
      details: validation.errors
    });
  }
  
  // Proceed with the valid, sanitized parameters
  const sanitizedParams = validation.sanitizedParams;
  
  // Your query code here...
});

Data Filtering Strategies

Implement data filtering at multiple levels:

  1. Database Level: Set up row-level security in your database
  2. Query Level: Include user context in your queries
  3. Application Level: Filter results before presenting to users

Example: Row-Level Security in PostgreSQL

-- PostgreSQL row-level security example
-- Create a users table
CREATE TABLE users (
  id SERIAL PRIMARY KEY,
  email TEXT UNIQUE NOT NULL,
  role TEXT NOT NULL
);

-- Create a table with row-level security
CREATE TABLE customer_data (
  id SERIAL PRIMARY KEY,
  customer_id INTEGER NOT NULL,
  data JSONB NOT NULL,
  created_by INTEGER REFERENCES users(id),
  created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);

-- Enable row-level security
ALTER TABLE customer_data ENABLE ROW LEVEL SECURITY;

-- Create policies
CREATE POLICY admin_policy ON customer_data
  TO admin_role
  USING (true); -- Admins can see all rows

CREATE POLICY user_policy ON customer_data
  TO user_role
  USING (created_by = (SELECT id FROM users WHERE email = current_user));

Example: Filtering in Infactory Queries

// Query with user context filtering
{
  name: "user_filtered_data",
  description: "Return data filtered by the current user's permissions",
  parameters: [
    {
      name: "user_id",
      description: "ID of the requesting user",
      type: "string",
      required: true
    },
    {
      name: "user_role",
      description: "Role of the requesting user",
      type: "string",
      required: true
    }
  ],
  slots: {
    query: `
      SELECT 
        d.id,
        d.customer_id,
        d.data
      FROM customer_data d
      JOIN users u ON d.created_by = u.id
      WHERE 1=1
        {% if user_role == 'admin' %}
          -- Admins can see all data
        {% else %}
          -- Regular users can only see their own data
          AND u.id = '{{ user_id }}'
        {% endif %}
      ORDER BY d.created_at DESC
    `
  }
}

Transport Layer Security

HTTPS Configuration

Always use HTTPS for all communications:

  1. Force HTTPS Redirect: Configure your web server to redirect all HTTP traffic to HTTPS
  2. HSTS Header: Implement HTTP Strict Transport Security to ensure all connections use HTTPS
  3. Secure Cookies: Set the Secure and HttpOnly flags on cookies

Example: Express.js HTTPS Configuration

const express = require('express');
const helmet = require('helmet');
const app = express();

// Use Helmet to set security headers
app.use(helmet());

// Force HTTPS
app.use((req, res, next) => {
  if (req.header('x-forwarded-proto') !== 'https' && process.env.NODE_ENV === 'production') {
    res.redirect(`https://${req.header('host')}${req.url}`);
  } else {
    next();
  }
});

// Set secure cookie settings
app.use(session({
  secret: process.env.SESSION_SECRET,
  cookie: {
    secure: process.env.NODE_ENV === 'production', // Only use secure in production
    httpOnly: true,
    sameSite: 'strict'
  }
}));

Content Security Policy

Implement a Content Security Policy to prevent XSS attacks:

// Express.js with Helmet for CSP
const helmet = require('helmet');
const app = express();

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'", "https://trusted-cdn.com"],
      styleSrc: ["'self'", "https://trusted-cdn.com", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "https://trusted-cdn.com"],
      connectSrc: ["'self'", "https://api.infactory.ai"],
      fontSrc: ["'self'", "https://trusted-cdn.com"],
      objectSrc: ["'none'"],
      mediaSrc: ["'self'"],
      frameSrc: ["'none'"],
      upgradeInsecureRequests: []
    }
  })
);

Monitoring and Auditing

Query Logging

Implement comprehensive logging for all queries:

// Logging middleware example
function queryLoggingMiddleware(req, res, next) {
  // Capture the original question
  const originalQuestion = req.body.question;
  
  // Get user information
  const userId = req.auth?.sub || 'anonymous';
  const userIp = req.ip;
  const userAgent = req.headers['user-agent'];
  
  // Log the request
  console.log({
    timestamp: new Date().toISOString(),
    eventType: 'query_request',
    userId,
    userIp,
    userAgent,
    question: originalQuestion
  });
  
  // Capture the original send method
  const originalSend = res.send;
  
  // Override the send method to log the response
  res.send = function(body) {
    // Parse the response body if it's a string
    let parsedBody;
    try {
      parsedBody = typeof body === 'string' ? JSON.parse(body) : body;
    } catch (e) {
      parsedBody = { error: 'Could not parse response body' };
    }
    
    // Log the response
    console.log({
      timestamp: new Date().toISOString(),
      eventType: 'query_response',
      userId,
      responseStatus: res.statusCode,
      queryUsed: parsedBody.query_used,
      executionTimeMs: parsedBody.execution_time_ms,
      resultCount: Array.isArray(parsedBody.data) ? parsedBody.data.length : 0
    });
    
    // Call the original send method
    return originalSend.call(this, body);
  };
  
  next();
}

// Apply the middleware to the query endpoint
app.post('/api/query', checkJwt, queryLoggingMiddleware, async (req, res) => {
  // Query handling code...
});

Usage Analytics

Track and analyze API usage patterns:

Track Query Volume

Monitor the number of queries over time to identify patterns and spikes

Analyze Query Types

Track which queries are most frequently used to optimize performance

Monitor Error Rates

Track query errors to identify and fix issues

User Adoption

Analyze which users or user segments are using the system

Anomaly Detection

Implement systems to detect unusual activity:

// Simple anomaly detection example
const queryStats = new Map();

function detectAnomalies(userId, queryType) {
  const now = Date.now();
  const userKey = `${userId}:${queryType}`;
  
  // Get or initialize user stats
  if (!queryStats.has(userKey)) {
    queryStats.set(userKey, {
      count: 0,
      timestamps: []
    });
  }
  
  const stats = queryStats.get(userKey);
  
  // Add the current query
  stats.count += 1;
  stats.timestamps.push(now);
  
  // Remove timestamps older than 1 hour
  stats.timestamps = stats.timestamps.filter(ts => now - ts < 3600000);
  
  // Check for anomalies
  const hourlyRate = stats.timestamps.length;
  
  // Example threshold: 100 queries per hour is suspicious
  if (hourlyRate > 100) {
    console.warn({
      timestamp: new Date().toISOString(),
      eventType: 'anomaly_detected',
      userId,
      queryType,
      hourlyRate,
      message: 'Unusually high query rate detected'
    });
    
    // Optionally, take action like temporarily rate limiting
    return true; // Anomaly detected
  }
  
  return false; // No anomaly
}

// Usage in query handler
app.post('/api/query', checkJwt, (req, res, next) => {
  const userId = req.auth.sub;
  const queryType = 'standard'; // or classify based on question
  
  if (detectAnomalies(userId, queryType)) {
    // Optionally enforce additional rate limiting or security measures
    console.log(`Enhanced monitoring enabled for user ${userId}`);
  }
  
  next();
});

Compliance Considerations

GDPR Compliance

If serving European users, ensure GDPR compliance:

Industry-Specific Compliance

Consider requirements specific to your industry:

Healthcare (HIPAA)

Implement additional safeguards for protected health information

Finance (PCI DSS)

Ensure compliance with payment card industry standards

Education (FERPA)

Protect student education records

California (CCPA/CPRA)

Comply with California privacy regulations

Security Checklist

Use this checklist to ensure you’ve implemented key security measures:

  • Store API keys in environment variables
  • Use a backend proxy to prevent client-side exposure
  • Rotate API keys periodically
  • Implement key-based access controls
  • Implement strong user authentication
  • Apply role-based or attribute-based access control
  • Validate user permissions for each query
  • Set appropriate session timeouts
  • Validate and sanitize all input parameters
  • Implement data filtering based on user context
  • Apply row-level security in your database
  • Encrypt sensitive data at rest
  • Force HTTPS for all connections
  • Implement HTTP Strict Transport Security (HSTS)
  • Configure secure cookies
  • Apply a Content Security Policy
  • Log all queries with user context
  • Implement anomaly detection
  • Set up alerts for suspicious activities
  • Regularly audit access logs
  • Document your data processing activities
  • Implement data subject access and deletion capabilities
  • Ensure compliance with regional regulations
  • Regularly review and update compliance measures

Next Steps

After implementing these security best practices, consider:

Was this page helpful?