Security hardening guide for Jan deployments.
Jan is an open-source application (Apache-2.0) that runs locally on your hardware. While it provides excellent privacy by keeping data local, proper security configuration is essential for networked deployments.
Default Behavior:
For Remote Access:
Bind to Specific Interface:
Use Reverse Proxy:
Firewall Rules:
# Allow only specific IPs
sudo ufw allow from 192.168.1.0/24 to any port 1337
sudo ufw deny 1337/tcp # Deny all others
With Nginx Reverse Proxy:
server {
listen 443 ssl http2;
server_name jan.example.com;
ssl_certificate /etc/ssl/certs/jan.example.com.crt;
ssl_certificate_key /etc/ssl/private/jan.example.com.key;
# Strong SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
location / {
proxy_pass http://localhost:1337;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Rate limiting
limit_req zone=onepersecond burst=5 nodelay;
}
}
# Rate limiting zone
http {
limit_req_zone $binary_remote_addr zone=onepersecond:10m rate=1r/s;
}
Enable authentication for remote API access:
Configuration:
Usage:
curl http://localhost:1337/v1/chat/completions \
-H "Content-Type: application/json" \
-H "Authorization: Bearer your-api-key" \
-d '{"model": "jan-v1", "messages": [...]}'
Only download models from trusted sources:
Trusted Sources:
Verify Model Integrity:
Always verify model licenses before use:
| Model Family | Typical License | Commercial Use |
|---|---|---|
| Llama 3 | Llama Community License | ✅ Yes (with restrictions) |
| Mistral | Apache-2.0 | ✅ Yes |
| Gemma | Gemma License | ✅ Yes (with restrictions) |
| Qwen | Apache-2.0 / Qwen License | ✅ Yes (check specific model) |
| Custom GGUF | Varies | Check source |
Some quantizations may have security implications:
| Quantization | Security Note |
|---|---|
| Q4_K_M+ | Generally safe |
| Q2_K | May produce unexpected outputs |
| Unknown sources | Verify before use |
Jan keeps data local by default:
Privacy Features:
Verify Privacy:
Configuration Location:
C:\Users\<Username>\AppData\Roaming\Jan~/Library/Application Support/Jan~/.config/JanSecure Configuration Files:
# Linux/macOS - Restrict permissions
chmod 700 ~/.config/Jan
chmod 600 ~/.config/Jan/data/*
# Windows - Use Encrypting File System (EFS)
cipher /e "%APPDATA%\Jan"
Export Conversations:
Delete Conversations:
When using cloud providers (OpenAI, Anthropic, etc.):
Secure Storage:
Usage Limits:
| Provider | Security Feature |
|---|---|
| OpenAI | Organization-based access control |
| Anthropic | API key permissions |
| Mistral | API key rotation |
| Groq | Rate limiting |
Multi-User Systems:
Separate Configurations:
File Permissions:
# Restrict config to owner
chmod 700 ~/.config/Jan
Apache-2.0 Benefits:
Enterprise Considerations:
Settings → Advanced → Debug Logging:
Log Location:
%APPDATA%\Jan\logs~/Library/Application Support/Jan/logs~/.config/Jan/logsAnalyze Logs:
# Find errors
grep "ERROR" ~/.config/Jan/logs/*.log
# Find API requests
grep "API" ~/.config/Jan/logs/*.log
# Check authentication
grep "auth" ~/.config/Jan/logs/*.log
Monitor For:
Settings → Advanced → Auto-Update:
When using MCP servers:
Security Considerations:
Settings → MCP:
GDPR/CCPA:
Healthcare (HIPAA):
Finance (SOC 2):
# Find failed authentications
grep "Authentication failed" ~/.config/Jan/logs/*.log
# Find unusual API patterns
grep "POST /v1/chat" ~/.config/Jan/logs/*.log | wc -l
# Check for unauthorized access
grep "403" ~/.config/Jan/logs/*.log
Any questions?
Feel free to contact us. Find all contact information on our contact page.