This document describes the security configuration layer of the Sim platform, including Content Security Policy (CSP) setup, SSRF protection, input validation, and security best practices for authentication and code execution. For authentication mechanisms and session management, see Authentication & Authorization.
The security architecture enforces multiple layers of protection to ensure the integrity of the platform and the safety of user data:
The platform uses a layered security model where different routes and execution contexts receive specific security policies.
The following diagram maps high-level security concepts to the specific code entities that implement them.
Sources: apps/sim/proxy.ts5-6 apps/sim/lib/core/security/input-validation.server.ts56-60 apps/sim/app/api/function/execute/route.ts6-7 apps/sim/lib/core/security/csp.ts1-6
Sim implements strict validation for any input that might influence server-side network requests or database connections to prevent Server-Side Request Forgery (SSRF).
The system prevents SSRF via DNS rebinding by resolving hostnames to IP addresses before making requests apps/sim/lib/core/security/input-validation.server.ts56-60
isPrivateOrReservedIP function uses ipaddr.js to detect and block non-routable ranges (e.g., 127.0.0.1, 169.254.169.254, 10.0.0.0/8) apps/sim/lib/core/security/input-validation.server.ts28-41validateUrlWithDNS function returns the resolved IP address, which is then used for the actual connection to ensure the destination hasn't changed between validation and execution apps/sim/lib/core/security/input-validation.server.ts105-109The validatePathSegment function ensures that user-provided input used in URL paths or file paths cannot be used for directory traversal attacks apps/sim/lib/core/security/input-validation.ts49-53
.., ./, and URL-encoded variations such as %2e%2e or %252e%252e apps/sim/lib/core/security/input-validation.ts89-101\0 or %00 to prevent null byte injection attacks apps/sim/lib/core/security/input-validation.ts81-88Sources: apps/sim/lib/core/security/input-validation.server.ts28-109 apps/sim/lib/core/security/input-validation.server.ts136-185 apps/sim/lib/core/security/input-validation.ts49-159
The Function Execute API route (/api/function/execute) is a high-risk endpoint that executes user-provided JavaScript or Python code. It employs multiple security layers.
Depending on the configuration and language, code is routed to different sandboxes:
isolated-vm for Node.js/JavaScript execution, providing a restricted environment without access to the process object, require, or the filesystem apps/sim/app/api/function/execute/route.ts7The execution pipeline includes checks to prevent VM escapes:
this.constructor.constructor apps/sim/app/api/function/execute/route.test.ts174-188fetch function provided to the VM is a wrapped version that enforces SSRF protections via validateProxyUrl apps/sim/app/api/function/execute/route.test.ts234-236Sources: apps/sim/app/api/function/execute/route.ts6-17 apps/sim/app/api/function/execute/route.test.ts161-236
The authentication layer implements several security best practices during the login, signup, and verification flows.
Sim enforces strict password entropy rules during signup:
validatePassword function checks these regex patterns before submission apps/sim/app/(auth)/signup/signup-form.tsx114-138The platform uses a 6-digit One-Time Password (OTP) system for email verification apps/sim/app/(auth)/verify/use-verification.ts85-88
emailVerified status apps/sim/app/(auth)/verify/use-verification.ts104-108To prevent "Open Redirect" vulnerabilities, the validateCallbackUrl function checks that callbackUrl parameters point to safe, internal application paths apps/sim/app/(auth)/login/login-form.tsx89-96
Sources: apps/sim/app/(auth)/signup/signup-form.tsx20-138 apps/sim/app/(auth)/verify/use-verification.ts85-160 apps/sim/app/(auth)/login/login-form.tsx89-96
The proxy.ts middleware acts as a primary security filter for incoming requests.
The handleSecurityFiltering function inspects incoming requests for malicious patterns:
sqlmap, nmap, nikto) or empty User-Agents apps/sim/proxy.ts10-16<script) or command execution attempts in headers apps/sim/proxy.ts13-14/api/webhooks/trigger/) are exempt from User-Agent checks to allow standard programmatic access apps/sim/proxy.ts112-114Standard security headers are applied to blocked requests to ensure they cannot be exploited even if a response is partially rendered:
X-Frame-Options: DENYContent-Security-Policy: default-src 'none'X-Content-Type-Options: nosniffSources: apps/sim/proxy.ts10-16 apps/sim/proxy.ts102-136 apps/sim/proxy.ts187-197
The following diagram illustrates the security checks performed from request ingress to code execution.
Sources: apps/sim/proxy.ts141-198 apps/sim/app/api/function/execute/route.ts1-20 apps/sim/lib/core/security/input-validation.server.ts56-60
Refresh this wiki