/workspace/config/security, or in your config.json (inference and CORS controls under the client block; dashboard credentials under governance.auth_config). The rest live in the reverse proxy in front of Bifrost.
1. Use a strong dashboard password
The dashboard can be protected with Password protect the dashboard on the Security Settings page (an admin username + password). Anyone who reaches the dashboard URL without credentials can read configuration, virtual keys, and logs, so this is the first thing to turn on for a public host.Password policy is enforced starting OSS v1.6.0 and Enterprise v1.5.0. On these versions Bifrost validates the password both in the UI and on the server before saving, and rejects weak values with HTTP 400. On earlier versions there was no strength check at all. If you are running an older build, choose a strong password manually (and upgrade as soon as you can).
- At least 12 characters
- At least one uppercase letter
- At least one lowercase letter
- At least one number
- At least one special character
2. Enforce authentication on inference
By default, inference endpoints (/v1/chat/completions, /v1/embeddings, /v1/images/generations, and related endpoints) accept anonymous requests. On a public host that means anyone who finds the URL can spend against your provider keys.
Turn on the Enable Auth on Inference toggle on the Security Settings page (labeled Enforce Virtual Keys on Inference in OSS). This requires every inference call to present a valid credential, such as a Virtual Key, API key, or user token, which Bifrost resolves to scoped upstream provider keys. Your raw provider keys never leave the gateway.
This is the main setting. The older fields
enforce_governance_header and enforce_scim_auth are deprecated. Don’t use them in new deployments. Changing this setting requires a Bifrost restart in Enterprise.3. Review the rest of the Security Settings page
The Security Settings page (/workspace/config/security) exposes several more controls worth checking before going public:
| Setting | Config key | Recommendation for public hosts |
|---|---|---|
| Allow Direct API Keys | allow_direct_keys | Keep off (default). When on, callers can pass their own provider key in a header (x-bf-direct-key: true), bypassing your registered key pool. |
| Allowed Origins | allowed_origins | Set an explicit list. Never * in production. A wildcard lets JavaScript from any page on the internet call your gateway. |
| Allowed Headers | allowed_headers | Narrow to the minimum your callers need (e.g. Authorization, Content-Type, your virtual-key and tracing headers). |
| Required Headers | required_headers | Optionally require headers on every request; missing ones are rejected with 400. |
| Whitelisted Routes | whitelisted_routes | Only add routes that must bypass auth. System routes (/health, login, etc.) are always whitelisted. |
x-bf-eh-* header allowlist (header_filter_config). See Tighten both header allowlists for details.
4. Terminate TLS and serve from a reverse proxy
Never expose Bifrost’s HTTP port directly to the internet. Put a reverse proxy (NGINX, an Ingress controller, or a cloud load balancer) in front of it to terminate TLS, so all traffic, including dashboard logins, virtual keys, and prompts, is encrypted in transit. See the Nginx reverse proxy guide for streaming-safe proxy settings, and bind Bifrost itself to an internal interface so it is only reachable through the proxy.5. Send security headers from the reverse proxy
Add hardening response headers at the proxy layer to defend the dashboard against clickjacking, MIME sniffing, and protocol downgrade. Bifrost is served behind the proxy, so this is the right place to set them once for every response.- NGINX
- Kubernetes (NGINX Ingress)
| Header | Protects against |
|---|---|
Strict-Transport-Security | Protocol downgrade / SSL-stripping attacks |
X-Frame-Options / Content-Security-Policy: frame-ancestors | Clickjacking and embedding the dashboard in a hostile iframe |
X-Content-Type-Options: nosniff | MIME-type sniffing |
Referrer-Policy | Leaking dashboard URLs to third-party sites |
Use the
always flag (NGINX) so headers are sent even on error responses. Only enable HSTS once you are confident HTTPS will stay on. Browsers cache it for the full max-age.6. Restrict network exposure
Network-level controls limit the impact of a misconfiguration:- Don’t publish the raw container port. Expose only the reverse proxy; keep Bifrost on an internal network or
localhostupstream. - Firewall / security groups. Allow inbound traffic only on
443(and80for the ACME/HTTP-to-HTTPS redirect). Block everything else. - Restrict the admin surface. If only your team needs the dashboard, put it behind a VPN, an IP allowlist, or an identity-aware proxy rather than the open internet.
- Run as non-root. The official
maximhq/bifrostimage already runs as an unprivileged user. Keep it that way and avoid mounting host paths writable.
Hardening checklist
Strong dashboard password (or SSO)
12+ chars with mixed case, number, and symbol. Upgrade to OSS v1.6.0 / Enterprise v1.5.0+ so the policy is enforced.
Security headers set at the proxy
HSTS, frame-ancestors / X-Frame-Options, nosniff, Referrer-Policy.
Related guides
- Nginx reverse proxy
- Enterprise security hardening
- Virtual keys
- Budgets and limits
- Security at Bifrost: how Bifrost itself is built and scanned

