Spaces:
Sleeping
Sleeping
| # π Security Setup Guide - VedaMD Enhanced | |
| ## β οΈ CRITICAL: API Key Security | |
| ### Current Security Issue | |
| Your Groq API key was found in the `.env` file. This is a security risk if the file was ever committed to version control. | |
| ### Immediate Actions Required | |
| #### 1. Regenerate Your API Key | |
| π¨ **DO THIS FIRST**: Your current key may be compromised. | |
| 1. Go to [Groq Console](https://console.groq.com/keys) | |
| 2. Delete the existing key: `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` | |
| 3. Generate a new API key | |
| 4. Save it securely (use a password manager) | |
| #### 2. Secure Your Local Development | |
| **For Local Development:** | |
| 1. Copy `.env.example` to `.env`: | |
| ```bash | |
| cp .env.example .env | |
| ``` | |
| 2. Edit `.env` and add your NEW API key: | |
| ```bash | |
| GROQ_API_KEY=your_new_api_key_here | |
| ``` | |
| 3. Verify `.env` is in `.gitignore` (already done β ) | |
| 4. Check if `.env` was ever committed to git: | |
| ```bash | |
| git log --all --full-history -- .env | |
| ``` | |
| 5. If `.env` appears in git history, clean it: | |
| ```bash | |
| # Option 1: Using BFG Repo-Cleaner (recommended) | |
| # Download from: https://rtyley.github.io/bfg-repo-cleaner/ | |
| java -jar bfg.jar --delete-files .env | |
| git reflog expire --expire=now --all | |
| git gc --prune=now --aggressive | |
| # Option 2: Using git-filter-repo | |
| git filter-repo --path .env --invert-paths | |
| ``` | |
| #### 3. Configure Hugging Face Spaces | |
| **For Production Deployment on HF Spaces:** | |
| 1. Go to your Hugging Face Space | |
| 2. Click **Settings** tab | |
| 3. Navigate to **Repository secrets** | |
| 4. Click **Add a secret** | |
| 5. Add: | |
| - **Name**: `GROQ_API_KEY` | |
| - **Value**: Your new API key | |
| 6. Save | |
| The app will automatically read from environment variables - no code changes needed! | |
| --- | |
| ## π Security Checklist | |
| ### Before Production Deployment | |
| - [ ] Regenerate Groq API key | |
| - [ ] Update `.env` locally with new key | |
| - [ ] Add `GROQ_API_KEY` to HF Spaces secrets | |
| - [ ] Verify `.env` is in `.gitignore` | |
| - [ ] Clean `.env` from git history if needed | |
| - [ ] Test app loads without errors | |
| - [ ] Verify API key is NOT in any code files | |
| - [ ] Remove old API key from password managers | |
| - [ ] Document API key location securely | |
| ### Additional Security Measures | |
| - [ ] Enable rate limiting (see below) | |
| - [ ] Configure CORS properly | |
| - [ ] Add input validation | |
| - [ ] Set up monitoring and alerts | |
| - [ ] Review error messages (don't expose internals) | |
| - [ ] Implement request logging | |
| - [ ] Add usage tracking | |
| --- | |
| ## π‘οΈ Additional Security Improvements | |
| ### Rate Limiting | |
| The app currently has no rate limiting. This will be addressed in the next phase. | |
| **Recommended**: Use Gradio's built-in concurrency limits: | |
| ```python | |
| demo.launch( | |
| max_threads=40, # Limit concurrent requests | |
| enable_queue=True # Queue excess requests | |
| ) | |
| ``` | |
| ### CORS Configuration | |
| If using the FastAPI backend, update CORS settings in `src/enhanced_backend_api.py`: | |
| ```python | |
| # BEFORE (INSECURE): | |
| allow_origins=["*"] | |
| # AFTER (SECURE): | |
| allow_origins=[ | |
| "https://your-space-name.hf.space", | |
| "https://yourdomain.com" | |
| ] | |
| ``` | |
| ### Input Validation | |
| Add query validation in `app.py`: | |
| ```python | |
| def validate_query(query: str) -> bool: | |
| """Validate user query before processing""" | |
| if len(query) > 1000: # Max length | |
| return False | |
| if not query.strip(): # Empty query | |
| return False | |
| # Add more validation as needed | |
| return True | |
| ``` | |
| --- | |
| ## π Monitoring & Auditing | |
| ### Recommended Tools | |
| - **Sentry**: Error tracking and monitoring | |
| - **Prometheus**: Metrics collection | |
| - **Grafana**: Visualization dashboards | |
| - **HF Spaces Analytics**: Built-in usage analytics | |
| ### What to Monitor | |
| - API request counts | |
| - Error rates | |
| - Response times | |
| - API key usage/costs | |
| - Unusual patterns (potential abuse) | |
| --- | |
| ## π Support | |
| If you have questions about security setup: | |
| 1. Check [Hugging Face Spaces documentation](https://huggingface.co/docs/hub/spaces) | |
| 2. Review [Groq API security best practices](https://console.groq.com/docs) | |
| 3. Consult your security team if deploying in a medical environment | |
| --- | |
| ## βοΈ Compliance Notes | |
| For medical applications: | |
| - Ensure HIPAA compliance if handling patient data | |
| - Implement audit logging for all queries | |
| - Add user authentication if required | |
| - Review data retention policies | |
| - Consult legal team for liability considerations | |
| **Last Updated**: 2025-10-22 | |