The author details a security audit of AegisFlow, a self-hosted open-source AI gateway in Go, and introduces new WASM plugin support.
•Timing attack on API key validation was fixed by using SHA-256 hashing and subtle.ConstantTimeCompare to prevent early-exit leaks
•Admin panel endpoints were exposed by default when no token was configured, now blocked with a startup warning
•Rate limiter was failing open on errors; changed to return 503 instead
•Additional fixes: 10MB request body limit, SSE injection prevention, and tenant-ID-scoped response cache
•Jailbreak detection expanded from 3 to 25 patterns with NFKC Unicode normalization to block homoglyph and whitespace bypasses
•
New WASM plugin system allows custom policy filters written in any WASM-compilable language, loaded at runtime via config with wazero (pure Go, zero CGO)
This summary was automatically generated by AI based on the original article and may not be fully accurate.
The Hacker News