WORKSPACE LOGIN
SECURITY

Security is not a feature.
It’s the architecture.

Every layer of AI.RESEARCH.MY is designed with defense in depth — from network isolation to query validation to credential encryption. Your data never leaves your infrastructure.

Digital vault
01

READ-ONLY DATABASE ACCESS

The AI agent can only execute SELECT, SHOW, DESCRIBE, and EXPLAIN queries. All destructive operations — INSERT, UPDATE, DELETE, DROP, ALTER, TRUNCATE — are blocked at the system level before reaching your database.

KEYWORD BLOCKING

Regex validation blocks dangerous SQL keywords before query execution.

ROW LIMITS

Query results are capped at 1,000 rows to prevent data exfiltration.

PROJECT ISOLATION

Each project has its own database credentials. Users only access assigned projects.

02

FILE SYSTEM PROTECTION

Directory traversal attacks are prevented at the system level. Per-project blacklists block access to sensitive configuration files and directories. The agent cannot escape its sandbox.

SAFE PATH VALIDATION

All file operations pass through safePath() to prevent ../ traversal.

CONFIG BLACKLISTS

Per-project file and directory blacklists block .env, config, and credentials.

PHP EXECUTION BLOCKED

Workspace directories block PHP execution via .htaccess — static files only.

03

WORKSPACE SANDBOXING

User workspaces are fully isolated. Authentication gates protect every file request. Users can only access their own workspace content, verified by session-based authentication.

SESSION AUTH

Email/password login with bcrypt hashing and session regeneration.

FILE GATING

Every workspace file request is intercepted and verified for ownership.

BRUTE-FORCE LOCKOUT

Login attempts are rate-limited with automatic lockout after 5 failures.

04

NETWORK & API SECURITY

External web fetch requests are validated against SSRF attacks. Internal IPs are blocked. API endpoints are rate-limited and authenticated. All credentials are stored encrypted and isolated from the web layer.

SSRF PROTECTION

Internal IPs (localhost, 10.x, 172.x, 192.168.x) are blocked on all web fetches.

API RATE LIMITING

30 requests per minute per IP with in-memory rate limiting on all endpoints.

CREDENTIAL ISOLATION

Config files blocked from web access via .htaccess. Secrets never exposed to the agent.

QUESTIONS?

Security is a conversation,
not a checkbox.

We’re happy to walk through our security architecture in detail. Reach out to discuss your specific requirements.

CONTACT SECURITY TEAM