Security Best Practices

Secure your Activepieces deployment with these production-ready security practices covering network security, secrets management, and data encryption.

Network Security

Protect your Activepieces instance at the network level:

TLS/SSL Configuration

Enable HTTPS

Always use HTTPS in production:

# Environment configuration
AP_FRONTEND_URL=https://app.company.com
AP_WEBHOOK_URL=https://hooks.company.com

Use Valid Certificates

Deploy with trusted SSL certificates:

Let’s Encrypt (free)
Commercial CA certificates
Internal CA for private deployments

# Configure certificate paths
AP_SSL_CERT=/path/to/cert.pem
AP_SSL_KEY=/path/to/key.pem

Enforce TLS 1.2+

Disable older protocols:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;

Never run Activepieces in production without HTTPS. Credentials and tokens are transmitted in API requests.

Firewall Configuration

Restrict network access to essential ports:

Required Ports
Optional Ports

Port	Service	Access
443	HTTPS API/UI	Public
5432	PostgreSQL	Internal only
6379	Redis	Internal only

Port	Service	Access
80	HTTP Redirect	Public
3000	Queue Dashboard	Admin IP only

Reverse Proxy Setup

Use a reverse proxy for additional security:

server {
    listen 443 ssl http2;
    server_name app.company.com;
    
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    
    # Rate limiting
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
    limit_req zone=api burst=20 nodelay;
    
    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

IP Allowlisting

Restrict admin access by IP:

# Admin endpoints
location /api/v1/admin {
    allow 10.0.0.0/8;        # Internal network
    allow 203.0.113.0/24;    # Office IP range
    deny all;
    
    proxy_pass http://localhost:3000;
}

Secrets Management

Properly handle sensitive configuration:

Environment Variables

Critical Secrets

Never hardcode these values:

# Database
AP_POSTGRES_PASSWORD=<use-secret-manager>

# Encryption
AP_ENCRYPTION_KEY=<use-secret-manager>

# JWT
AP_JWT_SECRET=<use-secret-manager>

# Redis
AP_REDIS_PASSWORD=<use-secret-manager>

Secure Generation

Generate strong random secrets:

# Generate encryption key (256-bit)
openssl rand -hex 32

# Generate JWT secret
openssl rand -base64 64

# Generate database password
openssl rand -base64 32 | tr -d "=+/" | cut -c1-25

Secret Rotation

Rotate secrets regularly:

Database passwords: Every 90 days
API keys: Every 180 days
Encryption keys: Use key versioning
JWT secrets: Every year

Secret Manager Integration

Use external secret managers for production:

# Store secrets in AWS
aws secretsmanager create-secret \
  --name activepieces/prod/db-password \
  --secret-string "your-secure-password"

# Reference in deployment
AP_POSTGRES_PASSWORD=$(aws secretsmanager get-secret-value \
  --secret-id activepieces/prod/db-password \
  --query SecretString --output text)

See Secret Managers for integration details.

Data Encryption

Activepieces encrypts sensitive data at multiple layers:

Encryption at Rest

Database Encryption

Enable PostgreSQL encryption:

-- Enable pgcrypto extension
CREATE EXTENSION IF NOT EXISTS pgcrypto;

-- Use encrypted tablespaces
CREATE TABLESPACE encrypted_space
  LOCATION '/var/lib/postgresql/encrypted'
  WITH (encryption = on);

Application-Level Encryption

Activepieces encrypts:

Connection credentials
OAuth tokens
Webhook secrets
Secret manager configurations

Using AES-256-GCM encryption.

Backup Encryption

Encrypt database backups:

# Encrypted backup
pg_dump activepieces | \
  openssl enc -aes-256-cbc -pbkdf2 -out backup.sql.enc

# Restore
openssl enc -d -aes-256-cbc -pbkdf2 -in backup.sql.enc | \
  psql activepieces

Encryption in Transit

Database Connections

Enable SSL for PostgreSQL:

# Connection string with SSL
AP_POSTGRES_DATABASE=postgresql://user:pass@host:5432/db?sslmode=require

SSL modes:

require: Encrypt connection
verify-ca: Verify server certificate
verify-full: Verify server identity

Redis Connections

Use TLS for Redis:

AP_REDIS_URL=rediss://username:password@host:6380
AP_REDIS_TLS=true

External API Calls

All outbound connections use HTTPS by default. Pieces validate SSL certificates automatically.

Encryption Key Management

# Primary encryption key
AP_ENCRYPTION_KEY=<256-bit-hex-key>

# Key rotation (future versions will support multiple keys)
AP_ENCRYPTION_KEY_LEGACY=<old-key>

The encryption key must remain constant. Changing it will break existing encrypted data. Plan for key rotation using versioning.

Access Control

Authentication Security

Strong Passwords

Enforce password requirements:

Minimum 12 characters
Mixed case, numbers, symbols
No common passwords
Password history (prevent reuse)

Multi-Factor Auth

Enable 2FA/MFA:

TOTP (Google Authenticator)
SMS (for enterprise)
Hardware keys (FIDO2)

Session Management

Configure session security:

Session timeout: 8 hours
Idle timeout: 30 minutes
Concurrent sessions: Limited per user

SSO

Use enterprise SSO:

SAML 2.0
OAuth 2.0
Centralized identity management

API Security

API Key Management

# Generate API key
curl -X POST 'https://api.activepieces.com/v1/api-keys' \
  -H 'Authorization: Bearer {token}' \
  -d '{
    "displayName": "Production API",
    "expiresIn": "90d"
  }'

Rate Limiting

Configure rate limits:

AP_RATE_LIMIT_ENABLED=true
AP_RATE_LIMIT_MAX_REQUESTS=100
AP_RATE_LIMIT_WINDOW_MS=60000

IP Whitelisting

Restrict API access by IP for sensitive operations

Monitoring & Auditing

Audit Logging

Enable comprehensive audit logs:

AP_AUDIT_LOGS_ENABLED=true
AP_AUDIT_LOG_RETENTION_DAYS=90

Logged events:

User authentication
Permission changes
Flow modifications
Connection management
Data access

See Audit Logs for details.

Security Monitoring

Failed Login Attempts

Monitor for brute force attacks:

SELECT user_email, COUNT(*) as failed_attempts
FROM audit_event
WHERE action = 'user.signed.in'
  AND data->>'success' = 'false'
  AND created > NOW() - INTERVAL '1 hour'
GROUP BY user_email
HAVING COUNT(*) > 5;

Unusual Activity

Alert on suspicious patterns:

Login from new location
Multiple failed 2FA attempts
Bulk data export
Privilege escalation

System Health

Monitor security-relevant metrics:

Certificate expiration
Secret age
Failed API calls
Database connections

Compliance

Data Residency

Deploy in Required Region

Deploy Activepieces in compliant data centers

Configure Data Boundaries

Restrict piece usage to region-compliant services

Document Data Flow

Maintain data flow diagrams for compliance audits

Compliance Standards

GDPR

Data encryption at rest and in transit
Right to deletion (soft delete)
Audit logs for data access
Data export capabilities

SOC 2

Access controls and RBAC
Encryption of sensitive data
Audit logging
Incident response procedures

HIPAA

PHI encryption
Access logging
BAA agreements
Minimum necessary access

ISO 27001

Information security policies
Risk assessment
Access control
Cryptographic controls

Vulnerability Management

Keeping Updated

Regular Updates

Update Activepieces regularly:

# Check current version
curl https://api.activepieces.com/v1/health

# Update to latest
docker pull activepieces/activepieces:latest

Security Patches

Subscribe to security announcements:

GitHub security advisories
Release notes
Community forums

Dependency Scanning

Scan for vulnerable dependencies:

npm audit
docker scan activepieces/activepieces:latest

Incident Response

Detection

Monitor for security incidents:

Audit log anomalies
System alerts
User reports

Response

Incident response procedure:

Isolate affected systems
Preserve evidence (logs)
Assess impact
Contain breach
Eradicate threat
Recover systems
Post-incident review

Communication

Notify stakeholders:

Internal security team
Affected users
Compliance/legal teams
Regulators (if required)

Security Checklist

Network

✅ HTTPS enabled with valid certificate ✅ Firewall configured ✅ Reverse proxy deployed ✅ Rate limiting enabled

Secrets

✅ Secrets in secret manager ✅ Strong random secrets ✅ No secrets in code/logs ✅ Regular rotation schedule

Encryption

✅ Database encryption enabled ✅ TLS for all connections ✅ Backups encrypted ✅ Encryption key secured

Access Control

✅ SSO configured ✅ MFA enabled ✅ RBAC implemented ✅ Regular access reviews

Secret Managers

Integrate secret management

Audit Logs

Track security events

SSO Configuration

Set up SSO authentication

Platform Management

Security

​Network Security

​TLS/SSL Configuration

​Firewall Configuration

​Reverse Proxy Setup

​IP Allowlisting

​Secrets Management

​Environment Variables

​Secret Manager Integration

​Data Encryption

​Encryption at Rest

​Encryption in Transit

​Encryption Key Management

​Access Control

​Authentication Security

Strong Passwords

Multi-Factor Auth

Session Management

SSO

​API Security

​Monitoring & Auditing

​Audit Logging

​Security Monitoring

​Compliance

​Data Residency

​Compliance Standards

GDPR

SOC 2

HIPAA

ISO 27001

​Vulnerability Management

​Keeping Updated

​Incident Response

​Security Checklist

Network

Secrets

Encryption

Access Control

​Related Topics

Secret Managers

Audit Logs

SSO Configuration

Network Security

TLS/SSL Configuration

Firewall Configuration

Reverse Proxy Setup

IP Allowlisting

Secrets Management

Environment Variables

Secret Manager Integration

Data Encryption

Encryption at Rest

Encryption in Transit

Encryption Key Management

Access Control

Authentication Security

API Security

Monitoring & Auditing

Audit Logging

Security Monitoring

Compliance

Data Residency

Compliance Standards

Vulnerability Management

Keeping Updated

Incident Response

Security Checklist

Related Topics