Enterprise Security
67 security controls protecting your AI agent and your visitors
BPract Agents has been through seven rounds of security audits, resulting in 67 implemented security controls. The platform protects against prompt injection, SSRF attacks, XSS via sanitized rendering, rate limiting at multiple levels, token budget enforcement, and secure API key handling. Every admin endpoint requires authentication, every resource access is verified, and every user input is sanitized.
A layered security diagram showing input validation, rate limiting, authentication, SSRF protection, prompt injection detection, and token budget enforcement across the BPract platform.
Key Benefits
Why Enterprise Security matters for your business.
Prompt injection detection analyzes visitor messages and blocks attempts to manipulate the AI system prompt
SSRF protection validates all URLs before the server makes any outbound requests
XSS prevention through Shadow DOM isolation and the esc() sanitization helper in widget rendering
Multi-level rate limiting protects against abuse at the IP, session, and tenant levels
Token budget enforcement caps daily AI usage per tenant to prevent runaway costs
Secure API key storage with encryption and no client-side exposure
Defense in Depth
BPract Agents uses a defense-in-depth strategy where security controls are layered at every level of the stack. Input from visitors is validated and sanitized before reaching the AI. API endpoints are protected by authentication, authorization, and rate limiting. Outbound requests from actions are checked against SSRF rules. The widget uses Shadow DOM to prevent DOM-based attacks. Admin routes require authenticated sessions with role-based permissions. This multi-layered approach means that even if one control is bypassed, others catch the threat.
Key Security Controls
- Prompt injection detection scans every visitor message for known attack patterns and jailbreak attempts before sending to the LLM
- Rate limiting at IP, session, and tenant levels prevents automated abuse and denial-of-service attacks
- SSRF validation ensures webhook URLs and action endpoints cannot target internal network resources
- The esc() helper function sanitizes all dynamic content before rendering in the widget, preventing stored and reflected XSS
- Token budget enforcement tracks daily token usage per tenant and gracefully limits when the budget is exhausted
- All admin endpoints require Depends(get_current_admin) authentication with RBAC role verification
- CORS is dynamically configured per tenant domain, preventing unauthorized cross-origin access
- Security headers including Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security are set on all responses
Audit History
The 67 security controls are the result of seven comprehensive audit rounds conducted throughout the platform development. Each audit round identified potential vulnerabilities and resulted in concrete fixes. The controls are documented, tested, and continuously enforced through code review policies. New features go through a security checklist before deployment to ensure no existing controls are weakened or bypassed.
Frequently Asked Questions
Common questions about Enterprise Security.
How does BPract Agents protect against prompt injection?
Is visitor data encrypted?
Can I configure rate limits for my AI agent?
Related Features
Explore more capabilities of BPract Agents.
Experience Enterprise Security
See how Enterprise Security can transform your website. Start your free trial today.