Enterprise Security
Rate Limiting & Cost Protection
- Redis-backed sliding window per IP
- Per-tenant daily token budget (atomic Lua script)
- Per-session message limits
Attack Prevention
- Prompt injection detection with Unicode normalization
- SSRF protection (IPv4 + IPv6 blocklist)
- XSS sanitization on all user-controlled content
- CORS lockdown + CSP headers
Authentication
- Bcrypt cost-14 password hashing
- 2-hour JWT expiry
- Cross-tenant access control on all endpoints