Security Recommendations for Amplihack Proxy¶
Critical Security Issues¶
1. API Key Exposure (HIGH PRIORITY)¶
Issue: Hard-coded API keys in configuration files Files Affected:
amplihack_litellm_proxy.env.azure.env
Solution:
# Remove hard-coded keys and use environment variables only
export AZURE_OPENAI_KEY="your_key_here" # pragma: allowlist secret
export OPENAI_API_KEY="your_key_here" # pragma: allowlist secret
# Update config files to reference environment variables
AZURE_OPENAI_KEY=${AZURE_OPENAI_KEY}
OPENAI_API_KEY=${OPENAI_API_KEY}
2. Tool Calling Configuration¶
Current Secure Settings:
ENFORCE_ONE_TOOL_CALL_PER_RESPONSE=true✅AMPLIHACK_TOOL_RETRY_ATTEMPTS=3✅- Tool validation enabled ✅
Recommended Adjustments for Functionality:
# Allow multiple tool calls for complex workflows
export ENFORCE_ONE_TOOL_CALL_PER_RESPONSE=false
# Increase retry attempts for reliability
export AMPLIHACK_TOOL_RETRY_ATTEMPTS=5
# Enable tool fallback for robustness
export ENABLE_TOOL_FALLBACK=true
3. Log Filtering Configuration¶
Issue: Overly aggressive log filtering may hide tool execution issues
Solution:
# Modify blocked_phrases to be less restrictive for debugging
blocked_phrases = [
"selected model name for cost calculation",
# Remove these during debugging:
# "LiteLLM completion()",
# "HTTP Request:",
]
4. Enhanced File Logging Security¶
Current Security (Already Excellent):
- Localhost-only binding ✅
- Credential sanitization ✅
- Connection limits ✅
- Proper file permissions ✅
Additional Recommendations:
- Add audit logging for tool executions
- Implement rate limiting per IP
- Add request signature validation
Implementation Priority¶
- IMMEDIATE: Fix API key exposure
- HIGH: Adjust tool calling limits for functionality
- MEDIUM: Modify log filtering for debugging
- LOW: Enhanced audit logging
Security Compliance Status¶
✅ COMPLIANT: Log streaming security ✅ COMPLIANT: Tool calling error handling ✅ COMPLIANT: Localhost binding ⚠️ NEEDS FIX: API key management ⚠️ NEEDS TUNING: Tool execution limits