arc53/DocsGPT

🚀 Feature: Agent API security improvements

Open

#1984 opened on Sep 26, 2025

View on GitHub
 (13 comments) (0 reactions) (1 assignee)Python (13,691 stars) (1,359 forks)batch import
applicationbackendhacktoberfesthelp wanted

Description

🔖 Feature description

This feature proposes the implementation of critical security and quality-of-life enhancements for the public-facing Agent API. As agents are designed to be embedded and shared, it's essential to provide users with robust tools to control access and prevent abuse.

I propose adding two key features to the agent configuration settings:

  1. CORS Origin Whitelisting: An option for users to specify a whitelist of allowed domains. This will ensure that the agent's API can only be called from trusted websites.
  2. API Limits: A mechanism to set limits on token usage (or maybe number of requests). This is crucial for protecting against denial-of-service (DoS) attacks and managing the costs associated with LLM calls.

🎤 Why is this feature needed ?

Currently, once an agent is made public, its API endpoint is open to the world. This poses significant risks for some users.

✌️ How do you aim to achieve this?

The implementation can be broken down into two parts, targeting the backend API and the frontend Agent Advanced section.

  1. CORS Origin Whitelisting:

Frontend:

  • In the Agent Advanced section, add a new text input field labeled "Allowed Origins". This field should accept a comma-separated list of URLs.

Backend:

  • Store the list of allowed origins in the database, associated with the specific agent.
  • In the API middleware that handles agent requests, check the incoming request's Origin header if enabled.
  1. API Limits

Frontend:

  • In the Agent Advanced section, add new text input field labeled "Usage limits"

Backend:

  • In the API middleware that handles agent requests, check usage before processing if enabled.

🔄️ Additional Information

No response

👀 Have you spent some time to check if this feature request has been raised before?

  • I checked and didn't find similar issue

Are you willing to submit PR?

None

Contributor guide

Tech stack
pythonjavascriptrest api
Domain
securityapifull stack
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
CORS knowledgePython backend experienceFrontend development skillsRate limiting concepts
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
65
Research direction
Review the existing API middleware in the backend (likely in app/api/) to understand current request handling. Investigate the database schema for agent configuration to add fields for allowed origins and usage limits. Examine the frontend Agent Advanced section (likely in frontend/components/) to add input fields. Check comments on the issue for any ongoing work or design decisions.