This guide covers security best practices for hardening your Dify deployment.
# Generate secure API keys
openssl rand -hex 32
# Rotate keys regularly
# Store keys in secure vault (not in code)
Configure user roles:
Always use HTTPS in production:
# Nginx reverse proxy example
server {
listen 443 ssl http2;
server_name dify.example.com;
ssl_certificate /etc/ssl/certs/dify.crt;
ssl_certificate_key /etc/ssl/private/dify.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
# Allow only necessary ports
ufw allow 443/tcp # HTTPS
ufw allow 22/tcp # SSH
# Block direct database access
ufw deny 5432/tcp
ufw deny 6379/tcp
# docker-compose.yml
networks:
dify-network:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/16
-- Create dedicated user with limited privileges
CREATE USER dify WITH PASSWORD 'secure-password';
GRANT CONNECT ON DATABASE dify TO dify;
GRANT USAGE ON SCHEMA public TO dify;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO dify;
-- Revoke unnecessary privileges
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
Enable database encryption:
# PostgreSQL TDE (Enterprise)
# Or use filesystem encryption
# Encrypt backups
pg_dump dify | gpg --encrypt --recipient backup-key | gzip > backup.sql.gz.gpg
# Store backups securely
# Use separate backup location
# Test restore procedures regularly
Configure rate limiting to prevent abuse:
RATE_LIMIT_ENABLED=true
RATE_LIMIT_REQUESTS=100
RATE_LIMIT_WINDOW=60 # seconds
# Restrict to trusted domains only
CORS_ORIGINS=https://your-domain.com
CORS_ALLOW_CREDENTIALS=true
Never commit secrets to version control:
# Add to .gitignore
.env
.env.local
.env.production
# Use secrets management
# HashiCorp Vault
# AWS Secrets Manager
# Azure Key Vault
# docker-compose.yml
secrets:
db_password:
file: ./secrets/db_password.txt
redis_password:
file: ./secrets/redis_password.txt
services:
db:
secrets:
- db_password
LOG_LEVEL=INFO
LOG_FORMAT=json
AUDIT_LOG_ENABLED=true
AUDIT_LOG_PATH=/var/log/dify/audit.log
Watch for:
# Regularly update Dify
git pull
docker compose pull
docker compose up -d
# Monitor security advisories
# Subscribe to GitHub security notifications
If using code execution features:
# Enable sandbox
SANDBOX_ENABLED=true
SANDBOX_NETWORK=isolated
# Limit resources
SANDBOX_CPU_LIMIT=1
SANDBOX_MEMORY_LIMIT=512M
Configure data retention policies:
# Conversation retention
CONVERSATION_RETENTION_DAYS=90
# Log retention
LOG_RETENTION_DAYS=30
Any questions?
Feel free to contact us. Find all contact information on our contact page.