Security issues in AI agent deployments usually come from defaults left open too long. Use this checklist before onboarding real users.
Access and identity
- Enforce token auth for gateway access.
- Rotate gateway tokens on a fixed schedule.
- Disable unused channels and credentials.
- Pair only approved devices and review pair logs weekly.
Network policy
- Restrict SSH ingress to trusted CIDR ranges.
- Avoid public SSH unless explicitly required.
- Keep app ports exposed only through intended proxy paths.
- Use TLS at the edge whenever possible.
Control UI policy
- Keep explicit
allowedOrigins. - Remove stale origins after domain or port changes.
- Validate origin mismatch events in logs.
Secrets handling
- Never store provider keys in client-side storage.
- Keep secrets in env/secret manager only.
- Redact keys and tokens from operational logs.
Monitoring and recovery
- Enable restart policy with health monitor.
- Alert on repeated auth failures and restart loops.
- Keep a standard incident runbook for 1006/1008 errors.
Hardening is not a one-time task. Re-run this checklist after every major deployment change.