# 🔒 Security Setup Guide - VedaMD Enhanced ## ⚠️ CRITICAL: API Key Security ### Current Security Issue Your Groq API key was found in the `.env` file. This is a security risk if the file was ever committed to version control. ### Immediate Actions Required #### 1. Regenerate Your API Key 🚨 **DO THIS FIRST**: Your current key may be compromised. 1. Go to [Groq Console](https://console.groq.com/keys) 2. Delete the existing key: `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` 3. Generate a new API key 4. Save it securely (use a password manager) #### 2. Secure Your Local Development **For Local Development:** 1. Copy `.env.example` to `.env`: ```bash cp .env.example .env ``` 2. Edit `.env` and add your NEW API key: ```bash GROQ_API_KEY=your_new_api_key_here ``` 3. Verify `.env` is in `.gitignore` (already done ✅) 4. Check if `.env` was ever committed to git: ```bash git log --all --full-history -- .env ``` 5. If `.env` appears in git history, clean it: ```bash # Option 1: Using BFG Repo-Cleaner (recommended) # Download from: https://rtyley.github.io/bfg-repo-cleaner/ java -jar bfg.jar --delete-files .env git reflog expire --expire=now --all git gc --prune=now --aggressive # Option 2: Using git-filter-repo git filter-repo --path .env --invert-paths ``` #### 3. Configure Hugging Face Spaces **For Production Deployment on HF Spaces:** 1. Go to your Hugging Face Space 2. Click **Settings** tab 3. Navigate to **Repository secrets** 4. Click **Add a secret** 5. Add: - **Name**: `GROQ_API_KEY` - **Value**: Your new API key 6. Save The app will automatically read from environment variables - no code changes needed! --- ## 📋 Security Checklist ### Before Production Deployment - [ ] Regenerate Groq API key - [ ] Update `.env` locally with new key - [ ] Add `GROQ_API_KEY` to HF Spaces secrets - [ ] Verify `.env` is in `.gitignore` - [ ] Clean `.env` from git history if needed - [ ] Test app loads without errors - [ ] Verify API key is NOT in any code files - [ ] Remove old API key from password managers - [ ] Document API key location securely ### Additional Security Measures - [ ] Enable rate limiting (see below) - [ ] Configure CORS properly - [ ] Add input validation - [ ] Set up monitoring and alerts - [ ] Review error messages (don't expose internals) - [ ] Implement request logging - [ ] Add usage tracking --- ## 🛡️ Additional Security Improvements ### Rate Limiting The app currently has no rate limiting. This will be addressed in the next phase. **Recommended**: Use Gradio's built-in concurrency limits: ```python demo.launch( max_threads=40, # Limit concurrent requests enable_queue=True # Queue excess requests ) ``` ### CORS Configuration If using the FastAPI backend, update CORS settings in `src/enhanced_backend_api.py`: ```python # BEFORE (INSECURE): allow_origins=["*"] # AFTER (SECURE): allow_origins=[ "https://your-space-name.hf.space", "https://yourdomain.com" ] ``` ### Input Validation Add query validation in `app.py`: ```python def validate_query(query: str) -> bool: """Validate user query before processing""" if len(query) > 1000: # Max length return False if not query.strip(): # Empty query return False # Add more validation as needed return True ``` --- ## 🔍 Monitoring & Auditing ### Recommended Tools - **Sentry**: Error tracking and monitoring - **Prometheus**: Metrics collection - **Grafana**: Visualization dashboards - **HF Spaces Analytics**: Built-in usage analytics ### What to Monitor - API request counts - Error rates - Response times - API key usage/costs - Unusual patterns (potential abuse) --- ## 📞 Support If you have questions about security setup: 1. Check [Hugging Face Spaces documentation](https://huggingface.co/docs/hub/spaces) 2. Review [Groq API security best practices](https://console.groq.com/docs) 3. Consult your security team if deploying in a medical environment --- ## ⚖️ Compliance Notes For medical applications: - Ensure HIPAA compliance if handling patient data - Implement audit logging for all queries - Add user authentication if required - Review data retention policies - Consult legal team for liability considerations **Last Updated**: 2025-10-22