OpenFang Security Best Practices

21 min read

The security of autonomous AI Agents cannot be overlooked. OpenFang is built with a 16-layer security defense system: 4 layers of sandbox isolation, 4 layers of network security, 4 layers of data security, and 4 layers of audit compliance. This article provides three preset configuration templates and a complete security checklist.

OpenFang Security Best Practices: A Deep Dive into 16-Layer Defense

Slug: openfang-security-best-practices Category: usage-guides Target Keywords: OpenFang security, OpenFang security configuration, Agent security best practices Search Intent: Informational (Users want to deploy OpenFang securely) Target Word Count: ~2000 words Language: en


Why is Agent Security Critical?

Autonomous AI Agents possess the power to execute commands, access the network, and read/write files—capabilities that, if left unrestricted, are a recipe for a security disaster. An unprotected Agent can be manipulated via Prompt Injection to execute dangerous commands, leak sensitive data, or be abused as a pivot point for further attacks.

OpenFang was designed with security as a core architectural pillar, offering a 16-layer security defense mechanism. This article provides a deep dive into the configuration and best practices for each layer.

Security Architecture Overview

OpenFang's 16-layer security defense is divided into four major categories:

CategoryLayersDefense Objective
Sandbox Isolation1–4Restrict the Agent's execution environment
Network Security5–8Control the Agent's network access
Data Security9–12Protect sensitive data from leakage
Audit & Compliance13–16Record and audit Agent behavior

Category 1: Sandbox Isolation

Layer 1: Filesystem Sandbox

Restrict the filesystem paths accessible to the Agent:

toml
[security.sandbox.filesystem]mode = "strict"                  # off / basic / strictallowed_paths = [    "./workspace/",    "/tmp/openfang/",]denied_paths = [    "/etc/",    "~/.ssh/",    "~/.aws/",]read_only_paths = [    "./config/",    "/usr/share/openfang/",]

In strict mode, the Agent cannot access any path not explicitly listed in allowed_paths. We recommend always creating a dedicated workspace directory for your Agents.

Layer 2: Process Sandbox

Restrict the system commands the Agent can execute:

toml
[security.sandbox.process]allow_shell = false              # Disable direct Shell accessallowed_commands = [    "git",    "curl",    "python3",    "node",]denied_commands = [    "rm",    "sudo",    "chmod",    "wget",]command_timeout = 30             # Max execution time (seconds)

allow_shell = false is a mandatory configuration for production environments. The Agent can only interact with the system via commands in the allowed_commands list.

Layer 3: Memory Limits

Prevent the Agent from exhausting system resources due to memory leaks or malicious code:

toml
[security.sandbox.memory]max_memory_mb = 512              # Agent memory limitmax_per_hand_mb = 128            # Memory limit per Handoom_policy = "kill_hand"         # kill_hand / restart / notify

Layer 4: CPU Limits

toml
[security.sandbox.cpu]max_cores = 2                    # Max 2 CPU corespriority = "low"                 # low / normal / highcfs_period_us = 100000cfs_quota_us = 50000             # 50% CPU quota

Category 2: Network Security

Layer 5: Network Isolation

Control the Agent's outbound network access:

toml
[security.network]mode = "allowlist"               # allowlist / blocklist / unrestrictedallowed_domains = [    "api.anthropic.com",    "api.openai.com",    "github.com",]allowed_ports = [443, 80]block_ip_ranges = [    "10.0.0.0/8",                # Block internal network access    "172.16.0.0/12",    "192.168.0.0/16",]dns_over_https = true            # Use encrypted DNS

Layer 6: Traffic Encryption

toml
[security.network.tls]min_version = "1.2"verify_certificates = truecertificate_pinning = [    { domain = "api.anthropic.com", pin = "sha256/..." },]

Layer 7: Rate Limiting

Prevent the Agent from being abused to send massive amounts of requests:

toml
[security.network.rate_limit]requests_per_minute = 60tokens_per_minute = 100000burst_multiplier = 2cooldown_after_exceeded = "5m"

Layer 8: Proxy and Egress Control

Route all Agent traffic through an enterprise proxy:

toml
[security.network.proxy]http_proxy = "${HTTP_PROXY}"https_proxy = "${HTTPS_PROXY}"no_proxy = ["localhost", "127.0.0.1"]enforce_proxy = true             # Force all traffic through proxy

Category 3: Data Security

Layer 9: Input Sanitization

Defend against Prompt Injection attacks:

toml
[security.data.input_guard]enabled = truemode = "strict"[security.data.input_guard.rules]detect_jailbreak = truedetect_prompt_leak = truedetect_code_injection = truemax_input_length = 8000sanitize_markdown = true

The input guard scans user input for potential injection attacks—including jailbreak prompts, prompt leakage attempts, and code injection—before the Agent processes them.

Layer 10: Output Filtering

Prevent sensitive data from leaking through Agent responses:

toml
[security.data.output_guard]enabled = true[security.data.output_guard.patterns]credit_cards = trueapi_keys = true                  # Detect and mask API key formatsemails = "mask"                  # mask / block / allowphone_numbers = "mask"custom_patterns = [    "\\b(?:sk|pk)_[a-zA-Z0-9]{32,}\\b",    "\\bAKIA[A-Z0-9]{16}\\b",   # AWS Access Key]

Layer 11: Sensitive Data Encryption

toml
[security.data.encryption]encrypt_workspace = trueencrypt_logs = truekey_derivation = "argon2id"rotation_days = 30

Layer 12: Data Minimization

toml
[security.data.minimization]log_user_inputs = false          # Do not log user inputslog_agent_outputs = false        # Do not log Agent outputsretention_days = 7               # Keep logs for 7 daysstrip_pii = true                 # Automatically remove PII

Category 4: Audit & Compliance

Layer 13: Operational Audit

toml
[security.audit]enabled = truelog_level = "info"[security.audit.events]command_execution = truefile_access = truenetwork_request = trueconfig_change = truehand_start_stop = true

Audit logs are in JSON format, containing timestamps, event types, actors, details, and results:

json
{  "timestamp": "2026-07-10T08:30:15.123Z",  "event": "command_execution",  "hand": "researcher",  "command": "git clone https://github.com/...",  "sandbox": "strict",  "result": "allowed",  "duration_ms": 1240}

Layer 14: Anomaly Detection

toml
[security.audit.anomaly_detection]enabled = truebaseline_days = 7sensitivity = "medium"           # low / medium / highalert_on = ["unusual_command", "off_hours_activity", "unusual_destination"]

Layer 15: Compliance Reporting

toml
[security.compliance]generate_reports = trueschedule = "0 0 1 * *"           # Monthly generationframeworks = ["SOC2", "ISO27001"]export_format = "pdf"

Layer 16: Incident Response

toml
[security.incident_response]auto_contain = true              # Automatically isolate Agent on anomalycontainment_action = "pause_all_hands"notify_channels = ["slack:#security", "email:[email protected]"]forensic_snapshot = true         # Save snapshot upon trigger

Quick Security Configuration Templates

Choose the preset that matches your deployment scenario:

Development Environment (Low Security)

bash
openfang security preset development

Production Environment (Standard Security)

bash
openfang security preset production

Hardened Environment (Finance/Healthcare/Government)

bash
openfang security preset hardened

Key differences between the three presets:

FeatureDevelopmentProductionHardened
Filesystembasicstrictstrict
Shell AccessAllowedDisabledDisabled
Network Modeblocklistallowlistallowlist
Output FilteringOffOnOn
Audit LogsOffOnOn
Data EncryptionOffOnOn
Anomaly DetectionOffmediumhigh
Auto-containmentOffOffOn

Security Checklist

Before deploying to production, use the openfang security audit command to verify each item:

bash
openfang security audit# Output example:# ✅ [1/16] Filesystem sandbox: strict# ✅ [2/16] Process sandbox: no shell access# ✅ [3/16] Memory limit: 512 MB# ✅ [4/16] CPU limit: 2 cores# ✅ [5/16] Network: allowlist mode# ⚠️ [6/16] TLS cert pinning: not configured# ✅ [7/16] Rate limiting: enabled# ...# Score: 14/16 — 2 recommendations pending

FAQ

What if security settings are too strict and prevent the Agent from working?
Use a gradual relaxation strategy. Start with the hardened preset and observe the Agent's behavior. For blocked operations that are necessary, use the audit logs to identify the specific item being blocked, then add it to the allowlist.
Can Prompt Injection really be defended against?
OpenFang's input guard provides multi-layered defense, but no defense is perfect. The best practice is to combine multiple layers: input sanitization + sandbox restrictions + network isolation. Even if an injection bypasses the input guard, the sandbox and network limits minimize the potential impact.
How do I layer security in containerized environments (Docker/K8s)?
OpenFang's security layers are complementary to application-level security, not a replacement. Docker's seccomp/AppArmor profiles can serve as an additional Layer 0 defense, but they should not replace OpenFang's built-in security mechanisms.
What should I do if a security incident occurs?
1. Check audit logs to determine the scope of the incident.
2. If auto_contain = true is configured, the Agent has already been isolated.
3. Download the forensic snapshot: openfang security forensics download --run-id xxx
4. Analyze the root cause and patch the vulnerability.
5. Restore from a snapshot or re-initialize the Agent.

Next Steps