Security Confidence Checklist

Verified status as of March 28, 2026. Runtime note: FastFN auto-installs function-local dependencies from requirements.txt / package.json; host runtimes are required in fastfn dev --native, while fastfn dev depends on a running Docker daemon.

Quick View

• Complexity: Intermediate
• Typical time: 15-25 minutes
• Use this when: you are preparing production security baseline
• Outcome: default protections and required hardening steps are explicit

This page is a practical security section for teams that want confidence before using FastFN in real environments.

What is safe by default

FastFN already applies these controls by default:

• strict function filesystem sandbox (FN_STRICT_FS=1)
• internal/admin routes separated from public routes
• edge proxy guardrails for control-plane paths (/_fn/*, /console/*)
• per-function method and body limits
• per-function timeout/concurrency controls
• secret masking when configured as secret values

What you still must configure in production

Use this baseline every time:

1. Put FastFN behind your reverse proxy (Nginx/Caddy/ALB).
2. Restrict /_fn/* and /console/* to trusted IPs or private network.
3. Use strong admin token and disable write surface if not needed.
4. Keep function secrets in environment/secret manager, not in source.
5. Enforce host allowlists (invoke.allow_hosts, edge allowlists).
6. Use explicit FN_HOST_PORT and avoid port conflicts with other services.
7. Monitor health and logs (/_fn/health, structured runtime logs).

Quick trust verification (copy/paste)

# Health endpoint
curl -sS http://127.0.0.1:8080/_fn/health | jq .

# Internal admin should be blocked from public network path/policy
curl -i -sS http://127.0.0.1:8080/_fn/catalog | sed -n '1,20p'

# Confirm strict fs mode is active in your runtime env
env | rg '^FN_STRICT_FS='

Security boundaries (important)

FastFN reduces risk by default, but it is not a full multi-tenant isolation platform out of the box.
For strong tenant isolation, add host-level controls (containers, seccomp/cgroups, network segmentation, separate worker hosts).

Recommended next read

• Security Model
• Console and Admin Access
• Deploying to Production

Flow Diagram

flowchart LR
  A["Client request"] --> B["Route discovery"]
  B --> C["Policy and method validation"]
  C --> D["Runtime handler execution"]
  D --> E["HTTP response + OpenAPI parity"]

Objective

Clear scope, expected outcome, and who should use this page.

Prerequisites

• FastFN CLI available
• Runtime dependencies by mode verified (Docker for fastfn dev, OpenResty+runtimes for fastfn dev --native)

Validation Checklist

• Command examples execute with expected status codes
• Routes appear in OpenAPI where applicable
• References at the end are reachable

Troubleshooting

• If runtime is down, verify host dependencies and health endpoint
• If routes are missing, re-run discovery and check folder layout

See also

• Function Specification
• HTTP API Reference
• Run and Test Checklist

HTTP Basic auth posture

Support posture: adjacent-stack.

Rationale:

• HTTP Basic is valid for controlled environments, but it is not recommended as primary internet-facing auth.
• Use only behind TLS, with network restrictions and credential rotation.

Preferred alternatives:

• bearer token/JWT for APIs
• API key + scope mapping for service-to-service traffic

Last reviewed: March 28, 2026 · Docs on fastfn.dev