1. Overview
2. Deployment Security
3. Environment Variables
4. SSRF Protection
5. Rate Limiting
6. Sandbox Security
7. Security Headers
8. Incident Response

Liminal implements multiple security layers to protect against common web application vulnerabilities.

Before deploying to production, ensure:

• NODE_ENV=production is set
• LIMINAL_DISABLE_SANDBOX is false (or unset)
• Rate limiting is configured appropriately
• HTTPS is enabled
• Security headers are active (verify with curl -I)
• CSRF tokens are required for state-changing operations

docker run \
  --security-opt seccomp=docker/seccomp-chrome.json \
  --cap-drop=ALL \
  --cap-add=SYS_ADMIN \
  --read-only \
  --tmpfs /tmp \
  liminal

Liminal Sites is public-facing, so credentials must stay out of the static site, Git history, logs, screenshots, pull requests, and generated artifacts.

• Browser and GitHub Pages builds may contain public identifiers only, such as a PostHog project key or public asset URL.
• Model/provider credentials (OPENAI_API_KEY, MINIMAX_API_KEY, GLM_API_KEY, OPENROUTER_API_KEY, and LIMINAL_*_API_KEY) must live only in a local shell, a local .env.* file ignored by Git, ~/.liminal/config.json, or a server-side deployment secret store.
• Live generation must run through the local/operator process or a server-side endpoint. Do not call cloud model providers directly from browser code.
• Logs may say whether a provider is configured, but must never print secret values, prefixes, suffixes, hashes, request bodies, provider payloads, or authorization headers.
• Copy .env.dogfood.example to .env.dogfood for local dogfood runs. The real .env.dogfood file is ignored and must never be committed.
• Run pnpm security:secrets before pushing any branch that touches provider/runtime, CI, docs, or examples.

PostHog note: a PostHog browser project key is not a model-provider secret, but personal PostHog API keys, webhook secrets, and ingestion proxy credentials are server-side secrets and follow the same rules above.

Liminal validates all LLM URLs to prevent Server-Side Request Forgery:

• Cloud metadata endpoints (169.254.169.254)
• Private IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
• Link-local addresses

Allowed hosts include:

• api.openai.com
• api.minimax.io
• api.z.ai
• openrouter.ai
• api.kimi.com
• api.moonshot.ai
• localhost (configurable)

Default limits per IP:

• General API: 100 requests per 15 minutes
• Export operations: 10 requests per hour
• Sandbox operations: 30 requests per 15 minutes

Chrome sandbox is enabled by default. Only disable when:

• Running in a Docker container
• With proper seccomp/AppArmor profile
• After understanding the risks

Liminal uses route-specific security headers instead of one universal header claim:

• PreviewServer responses include Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Strict-Transport-Security, and Referrer-Policy.
• Studio GUI/API/SSE responses include X-Content-Type-Options: nosniff, Strict-Transport-Security, Referrer-Policy, and X-Frame-Options: SAMEORIGIN.
• Studio /preview responses include the Studio common headers plus a sandbox preview Content-Security-Policy with frame-ancestors 'self'. The route must remain same-origin iframe compatible for the live preview surface.

If you discover a security vulnerability:

1. Do NOT open a public issue
2. Email security@liminal-ai.dev with details
3. Include reproduction steps
4. Allow 90 days for disclosure

Subscribe to security advisories:

• Watch the GitHub repository
• Join the security mailing list