Skip to content

Security & Secrets Management

This document outlines the security model and secret management procedures for the Cloudflare worker.

1. Endpoint Protection

Protected by Default

All sensitive endpoints, including /llm/* and the development-only /rag/dev/*, are protected and require an API key.

  • Mechanism: The worker expects an x-api-key header on incoming requests to protected endpoints.
  • Shared Secret: The value of this header must match the API_KEY secret configured in the worker's environment.

2. Secret Rotation

To maintain security, the API_KEY secret should be rotated periodically or if a compromise is suspected.

Rotation Procedure

  1. Generate a new secret: 

    openssl rand -hex 32

  2. Update the secret in Cloudflare: Run this command for each environment (stage, prod). 

    # Paste the new secret when prompted
wrangler secret put API_KEY --env stage

  3. Update the secret in the Labeeb API: Update the CF_WORKER_API_KEY value in the API's .env file (or other secret management system).

  4. Reload the API Configuration: To apply the change without downtime, clear and recache the API's configuration. 

    docker compose exec api php artisan config:cache

Logging

Never log API keys, tokens, or raw user content in production logs. The worker and API should be configured to redact sensitive information.