Documentation

Security Best Practices

Essential security practices for using ModelRed SDK safely in production

Security Best Practices

Production Security

Essential security practices to protect your ModelRed deployment and prevent common vulnerabilities in production environments.

API Key Protection

⚠️

Critical Security Rules

API keys provide full access to your ModelRed account. Following these practices is essential for preventing unauthorized access and data breaches.

Essential Practices

Use Environment Variables
export MODELRED_API_KEY="mr_your_key_here"

Never hardcode keys in source code

Rotate Keys Regularly
Development:Monthly
Production:Quarterly

Never Do This

Hardcode API keys in source code
Commit keys to version control (Git)
Share keys via email or chat
Use production keys in development

Secret Management

Production Secret Storage

Use dedicated secret management services for production deployments.

☁️

AWS Secrets Manager

Secure secret storage with automatic rotation

🔷

Azure Key Vault

Microsoft Azure's secret management service

🏛️

HashiCorp Vault

Self-hosted enterprise secret management

🔧

Implementation Example

PYTHON
import boto3
from modelred import ModelRed

def get_secret(secret_name):
    client = boto3.client('secretsmanager')
    response = client.get_secret_value(SecretId=secret_name)
    return response['SecretString']

async def secure_client():
    api_key = get_secret('modelred/prod/api-key')
    async with ModelRed(api_key=api_key) as client:
        return client

Input Validation

Validate All Inputs

Always validate user inputs before passing them to the ModelRed SDK.

Validation Example

PYTHON
import re
from modelred import ModelRed, ValidationError

def validate_model_id(model_id: str) -> bool:
    """Validate model ID format"""
    if not model_id or len(model_id) > 50:
        return False
    return bool(re.match(r'^[a-zA-Z0-9_-]+$', model_id))

async def secure_assessment(model_id: str, test_suites: list):
    if not validate_model_id(model_id):
        raise ValidationError(f"Invalid model ID: {model_id}")

    async with ModelRed() as client:
        return await client.run_assessment(
            model_id=model_id,
            test_suites=test_suites
        )

Error Handling

🚫 Secure Error Handling

Don't Expose Sensitive Information
❌ BAD:"API key sk-abc123... is invalid"
✅ GOOD:"Authentication failed"
🛡️

Secure Error Example

PYTHON
import logging
from modelred import ModelRed, ModelRedError

logger = logging.getLogger(__name__)

async def secure_operation():
    try:
        async with ModelRed() as client:
            return await client.run_assessment(
                model_id="test-model",
                test_suites=["basic_security"]
            )
    except ModelRedError as e:
        # Log detailed error securely
        logger.error(f"ModelRed operation failed: {type(e).__name__}")

        # Return generic error to user
        raise Exception("Assessment failed. Please try again.")

Production Checklist

📋 Security Checklist

Before Deployment

Ongoing Maintenance

Incident Response

🚨

If Your API Key is Compromised

1

Immediately rotate the compromised API key

2

Review access logs for unauthorized usage

3

Update all systems with the new key

4

Document the incident and implement preventive measures

Next Steps

🔑

API Key Management

Learn how to create and manage API keys securely

Manage keys
🚀

Quick Start Guide

Get started with secure ModelRed implementation

Get started