Security hardening guide for Flowise deployments.
Flowise is an open-source visual low-code platform (Apache-2.0) for building AI agents. While it provides good security features, proper configuration is essential for production deployments.
Default Behavior:
Secure Configuration:
ports:
- "127.0.0.1:3000:3000"
# Allow only specific IPs
sudo ufw allow from 192.168.1.0/24 to any port 3000
sudo ufw deny 3000/tcp
With Nginx:
server {
listen 443 ssl http2;
server_name flowise.example.com;
ssl_certificate /etc/ssl/certs/flowise.example.com.crt;
ssl_certificate_key /etc/ssl/private/flowise.example.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
Enable Basic Auth:
BASIC_AUTH_USERNAME=admin
BASIC_AUTH_PASSWORD=secure-password-here
Best Practices:
Generate API Keys:
API Key Best Practices:
Flowise v3.0.13+ includes API key permissions:
Default configuration:
Secure SQLite:
# Restrict file permissions
chmod 600 ~/.flowise/database.sqlite
Change default password:
DATABASE_PASSWORD=secure-database-password
Restrict network access:
networks:
flowise-network:
internal: true # No external access
Flow Storage:
API Keys:
v3.0.13+ Security Features:
Best Practices:
Configure rate limits:
# Nginx rate limiting
limit_req_zone $binary_remote_addr zone=onepersecond:10m rate=1r/s;
location / {
limit_req zone=onepersecond burst=5 nodelay;
proxy_pass http://localhost:3000;
}
Configure allowed origins:
CORS_ORIGINS=https://your-domain.com
Nginx CORS:
add_header Access-Control-Allow-Origin https://your-domain.com;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
services:
flowise:
read_only: true
tmpfs:
- /tmp
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
user: "1000:1000"
services:
flowise:
deploy:
resources:
limits:
cpus: '4'
memory: 4G
reservations:
cpus: '2'
memory: 2G
| Vulnerability | Status |
|---|---|
| Insecure data access | ✅ Fixed |
| DNS Rebinding/TOCTOU | ✅ Fixed |
| Mass assignments in Leads endpoint | ✅ Fixed |
| Route ordering in auth routes | ✅ Fixed |
Stay Updated:
Log configuration:
LOG_LEVEL=info
Monitor for:
Prometheus:
PROMETHEUS_ENABLED=true
PROMETHEUS_PORT=9090
OpenTelemetry:
OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
OTEL_SERVICE_NAME=flowise
Update Flowise:
# NPM
npm update -g flowise
# Docker
docker compose pull flowise
docker compose up -d flowise
GDPR/CCPA:
Healthcare (HIPAA):
Finance (SOC 2):
# View logs
docker compose logs flowise
# Find errors
docker compose logs flowise | grep ERROR
# Find authentication failures
docker compose logs flowise | grep -i "auth.*fail"
Any questions?
Feel free to contact us. Find all contact information on our contact page.