Security Features

NOMOS provides comprehensive security features to protect your AI agents in production environments. These features can be configured individually based on your security requirements.

Key Security Features

Authentication

JWT and API key authentication methods

Rate Limiting

Prevent abuse with configurable rate limits

CSRF Protection

Cross-site request forgery protection

CORS Configuration

Cross-origin resource sharing controls

Quick Start

Enable basic security features in your configuration: 
server:
  security:
    enable_auth: true
    auth_type: jwt
    jwt_secret_key: "$JWT_SECRET_KEY"
    enable_rate_limiting: true
    redis_url: "$REDIS_URL"
    rate_limit_times: 100
    rate_limit_seconds: 60
    enable_csrf_protection: true
    csrf_secret_key: "$CSRF_SECRET_KEY"

Security Endpoints

  • Health Check: GET /health - No authentication required
  • Configuration: GET /config - Optional authentication
  • Token Generation: POST /auth/token - Generate test JWT tokens
  • Protected Endpoints: All session and chat endpoints require authentication when enabled

Environment Variables

Essential security environment variables:
VariableDescription
JWT_SECRET_KEYSecret key for JWT token signing
CSRF_SECRET_KEYSecret key for CSRF protection
API_KEY_VALIDATION_URLEndpoint URL for API key validation
REDIS_URLRedis connection URL for rate limiting

Best Practices

  1. Use environment variables for all secret keys
  2. Enable HTTPS in production
  3. Limit CORS origins to trusted domains
  4. Monitor rate limiting patterns
  5. Regularly rotate secret keys
  6. Use strong, unique secret keys (32+ characters)