OpenFang Security Best Practices: A Deep Dive into 16-Layer Defense
Slug: openfang-security-best-practices
Category: usage-guides
Target Keywords: OpenFang security, OpenFang security configuration, Agent security best practices
Search Intent: Informational (Users want to deploy OpenFang securely)
Target Word Count: ~2000 words
Language: en
Why is Agent Security Critical?
Autonomous AI Agents possess the power to execute commands, access the network, and read/write files—capabilities that, if left unrestricted, are a recipe for a security disaster. An unprotected Agent can be manipulated via Prompt Injection to execute dangerous commands, leak sensitive data, or be abused as a pivot point for further attacks.
OpenFang was designed with security as a core architectural pillar, offering a 16-layer security defense mechanism. This article provides a deep dive into the configuration and best practices for each layer.
Security Architecture Overview
OpenFang's 16-layer security defense is divided into four major categories:
| Category | Layers | Defense Objective |
|---|---|---|
| Sandbox Isolation | 1–4 | Restrict the Agent's execution environment |
| Network Security | 5–8 | Control the Agent's network access |
| Data Security | 9–12 | Protect sensitive data from leakage |
| Audit & Compliance | 13–16 | Record and audit Agent behavior |
Category 1: Sandbox Isolation
Layer 1: Filesystem Sandbox
Restrict the filesystem paths accessible to the Agent:
[security.sandbox.filesystem]mode = "strict" # off / basic / strictallowed_paths = [ "./workspace/", "/tmp/openfang/",]denied_paths = [ "/etc/", "~/.ssh/", "~/.aws/",]read_only_paths = [ "./config/", "/usr/share/openfang/",]In strict mode, the Agent cannot access any path not explicitly listed in allowed_paths. We recommend always creating a dedicated workspace directory for your Agents.
Layer 2: Process Sandbox
Restrict the system commands the Agent can execute:
[security.sandbox.process]allow_shell = false # Disable direct Shell accessallowed_commands = [ "git", "curl", "python3", "node",]denied_commands = [ "rm", "sudo", "chmod", "wget",]command_timeout = 30 # Max execution time (seconds)allow_shell = false is a mandatory configuration for production environments. The Agent can only interact with the system via commands in the allowed_commands list.
Layer 3: Memory Limits
Prevent the Agent from exhausting system resources due to memory leaks or malicious code:
[security.sandbox.memory]max_memory_mb = 512 # Agent memory limitmax_per_hand_mb = 128 # Memory limit per Handoom_policy = "kill_hand" # kill_hand / restart / notifyLayer 4: CPU Limits
[security.sandbox.cpu]max_cores = 2 # Max 2 CPU corespriority = "low" # low / normal / highcfs_period_us = 100000cfs_quota_us = 50000 # 50% CPU quotaCategory 2: Network Security
Layer 5: Network Isolation
Control the Agent's outbound network access:
[security.network]mode = "allowlist" # allowlist / blocklist / unrestrictedallowed_domains = [ "api.anthropic.com", "api.openai.com", "github.com",]allowed_ports = [443, 80]block_ip_ranges = [ "10.0.0.0/8", # Block internal network access "172.16.0.0/12", "192.168.0.0/16",]dns_over_https = true # Use encrypted DNSLayer 6: Traffic Encryption
[security.network.tls]min_version = "1.2"verify_certificates = truecertificate_pinning = [ { domain = "api.anthropic.com", pin = "sha256/..." },]Layer 7: Rate Limiting
Prevent the Agent from being abused to send massive amounts of requests:
[security.network.rate_limit]requests_per_minute = 60tokens_per_minute = 100000burst_multiplier = 2cooldown_after_exceeded = "5m"Layer 8: Proxy and Egress Control
Route all Agent traffic through an enterprise proxy:
[security.network.proxy]http_proxy = "${HTTP_PROXY}"https_proxy = "${HTTPS_PROXY}"no_proxy = ["localhost", "127.0.0.1"]enforce_proxy = true # Force all traffic through proxyCategory 3: Data Security
Layer 9: Input Sanitization
Defend against Prompt Injection attacks:
[security.data.input_guard]enabled = truemode = "strict"[security.data.input_guard.rules]detect_jailbreak = truedetect_prompt_leak = truedetect_code_injection = truemax_input_length = 8000sanitize_markdown = trueThe input guard scans user input for potential injection attacks—including jailbreak prompts, prompt leakage attempts, and code injection—before the Agent processes them.
Layer 10: Output Filtering
Prevent sensitive data from leaking through Agent responses:
[security.data.output_guard]enabled = true[security.data.output_guard.patterns]credit_cards = trueapi_keys = true # Detect and mask API key formatsemails = "mask" # mask / block / allowphone_numbers = "mask"custom_patterns = [ "\\b(?:sk|pk)_[a-zA-Z0-9]{32,}\\b", "\\bAKIA[A-Z0-9]{16}\\b", # AWS Access Key]Layer 11: Sensitive Data Encryption
[security.data.encryption]encrypt_workspace = trueencrypt_logs = truekey_derivation = "argon2id"rotation_days = 30Layer 12: Data Minimization
[security.data.minimization]log_user_inputs = false # Do not log user inputslog_agent_outputs = false # Do not log Agent outputsretention_days = 7 # Keep logs for 7 daysstrip_pii = true # Automatically remove PIICategory 4: Audit & Compliance
Layer 13: Operational Audit
[security.audit]enabled = truelog_level = "info"[security.audit.events]command_execution = truefile_access = truenetwork_request = trueconfig_change = truehand_start_stop = trueAudit logs are in JSON format, containing timestamps, event types, actors, details, and results:
{ "timestamp": "2026-07-10T08:30:15.123Z", "event": "command_execution", "hand": "researcher", "command": "git clone https://github.com/...", "sandbox": "strict", "result": "allowed", "duration_ms": 1240}Layer 14: Anomaly Detection
[security.audit.anomaly_detection]enabled = truebaseline_days = 7sensitivity = "medium" # low / medium / highalert_on = ["unusual_command", "off_hours_activity", "unusual_destination"]Layer 15: Compliance Reporting
[security.compliance]generate_reports = trueschedule = "0 0 1 * *" # Monthly generationframeworks = ["SOC2", "ISO27001"]export_format = "pdf"Layer 16: Incident Response
[security.incident_response]auto_contain = true # Automatically isolate Agent on anomalycontainment_action = "pause_all_hands"notify_channels = ["slack:#security", "email:[email protected]"]forensic_snapshot = true # Save snapshot upon triggerQuick Security Configuration Templates
Choose the preset that matches your deployment scenario:
Development Environment (Low Security)
openfang security preset developmentProduction Environment (Standard Security)
openfang security preset productionHardened Environment (Finance/Healthcare/Government)
openfang security preset hardenedKey differences between the three presets:
| Feature | Development | Production | Hardened |
|---|---|---|---|
| Filesystem | basic | strict | strict |
| Shell Access | Allowed | Disabled | Disabled |
| Network Mode | blocklist | allowlist | allowlist |
| Output Filtering | Off | On | On |
| Audit Logs | Off | On | On |
| Data Encryption | Off | On | On |
| Anomaly Detection | Off | medium | high |
| Auto-containment | Off | Off | On |
Security Checklist
Before deploying to production, use the openfang security audit command to verify each item:
openfang security audit# Output example:# ✅ [1/16] Filesystem sandbox: strict# ✅ [2/16] Process sandbox: no shell access# ✅ [3/16] Memory limit: 512 MB# ✅ [4/16] CPU limit: 2 cores# ✅ [5/16] Network: allowlist mode# ⚠️ [6/16] TLS cert pinning: not configured# ✅ [7/16] Rate limiting: enabled# ...# Score: 14/16 — 2 recommendations pendingFAQ
What if security settings are too strict and prevent the Agent from working?
hardened preset and observe the Agent's behavior. For blocked operations that are necessary, use the audit logs to identify the specific item being blocked, then add it to the allowlist.Can Prompt Injection really be defended against?
How do I layer security in containerized environments (Docker/K8s)?
What should I do if a security incident occurs?
2. If
auto_contain = true is configured, the Agent has already been isolated.3. Download the forensic snapshot:
openfang security forensics download --run-id xxx4. Analyze the root cause and patch the vulnerability.
5. Restore from a snapshot or re-initialize the Agent.
Next Steps
- OpenFang Installation & Setup Guide: Secure deployment from scratch
- OpenFang Automation Workflow Guide: Building secure automated processes