You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: pages/security/security-faq.mdx
+24Lines changed: 24 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,6 +45,10 @@ OIDC SSO, email/password, and SCIM provisioning; MFA or passkeys can be enforced
45
45
46
46
The REST API uses Basic Auth with a pair of API keys: the public key (username) and secret key (password). These keys are created in the project settings, are hashed before storage and can be rotated. JWTs are not used.
47
47
48
+
> **How long is a session token valid before it expires?**
49
+
50
+
Session tokens are valid for 86,400 seconds (24 hours). We use JWT tokens which validate the expiry server-side, ensuring tokens expire on both the server and client.
51
+
48
52
> **How is least‑privilege enforced?**
49
53
50
54
RBAC lets you scope roles to organisation or project. See [RBAC documentation](/docs/rbac) for more details.
@@ -55,10 +59,26 @@ RBAC lets you scope roles to organisation or project. See [RBAC documentation](/
55
59
56
60
Langfuse runs on AWS in isolated VPCs with WAF and AWS Shield for DDoS mitigation.
57
61
62
+
> **What security headers are implemented on Langfuse endpoints?**
63
+
64
+
We enforce CSP (Content Security Policy), HSTS (HTTP Strict Transport Security), and X-Frame-Options on all endpoints including [langfuse.com](https://domsignal.com/test/ea3amc5z08sh6fnovjek392ihxrb66q6) and [cloud.langfuse.com](https://domsignal.com/test/spdnv4cx0949ah3nvz5b5eapab8o2390).
65
+
58
66
> **How does Langfuse Cloud monitor its environment?**
59
67
60
68
Langfuse uses DataDog and Sentry to monitor its application and environments. All cloud audit logs are automatically written into a seperate, locked-down account. In addition, we have automated systems in place to alert us about anomalous usage.
61
69
70
+
> **What anomaly detection and security alerting capabilities are in place?**
71
+
72
+
Automatic anomaly detection is enabled using AWS GuardDuty with alerts for impossible travel and unusual API usage of service accounts and users.
73
+
74
+
> **How does Langfuse log activities in the cloud platform?**
75
+
76
+
We log failed authentication attempts in application logs and track activities in our infrastructure (AWS, ClickHouse, etc.). Application and system logs are retained in a hot store for 15 days and permanently within cold storage.
77
+
78
+
> **Does Langfuse use time synchronization for audits?**
79
+
80
+
Yes. All services run in AWS cloud, which provides both NTP (Network Time Protocol) and PTP (Precision Time Protocol) clock devices. NTP is used by default.
81
+
62
82
> **How often does Langfuse rotate its API keys?**
63
83
64
84
Langfuse uses short-lived api keys where possible. For long-lived API keys we rotate them every 90 days.
@@ -69,6 +89,10 @@ Langfuse uses short-lived api keys where possible. For long-lived API keys we ro
69
89
70
90
Every commit passes our CI pipeline of end-to-end, unit, and security tests.
71
91
92
+
> **Does Langfuse perform SAST or DAST?**
93
+
94
+
We perform SAST (Static Application Security Testing) by scanning our container images with Snyk on commits to main ([example](https://github.com/langfuse/langfuse/actions/runs/19838910104/job/56842732608)). We also run static code scans using CodeQL ([example](https://github.com/langfuse/langfuse/actions/runs/19838910102/job/56842732711)).
95
+
72
96
> **How does the Software Development Lifecycle Policy look like?**
73
97
74
98
Our Software Development Life Cycle (SDLC) policy establishes a consistent process to ensure information security is integrated at every stage of development. The process follows defined phases, including planning and design, building the software, evaluating system readiness, and executing a secure deployment. Throughout this lifecycle, we enforce secure engineering principles, provide developers with ongoing training on practices like the OWASP Top 10, and perform vulnerability scanning to protect against threats. To protect data integrity, development and testing environments are strictly segregated from our production environment, and the use of production data for testing is prohibited without explicit authorization under strict controls. We ensure secure data interoperability and portability for our customers by default, using encrypted transport and providing a secure API for data access.
0 commit comments