Security System

Comprehensive security configuration for your AgenticMail Enterprise deployment. Each section can be edited independently using its own Edit button.

Overview

The Security System tab provides defense-in-depth controls protecting your instance from prompt injection, data exfiltration, SQL injection, and other attack vectors. Each section has its own Edit/Save/Cancel buttons — click Edit to modify a section, then Save to persist changes or Cancel to discard.

Per-section editing: Only one section can be edited at a time. Other sections dim while you're editing, preventing accidental changes. Your changes are saved to the server when you click Save.

Prompt Injection Defense

Multi-layer detection and prevention of prompt injection attacks — attempts by users or external content to override an agent's instructions.

Settings

Setting	Description
Enable Protection	Master toggle for prompt injection defense
Detection Mode	Monitor Only — Logs detections but allows them through. Good for testing. Sanitize Content — Strips suspected injection patterns from input. Recommended for most deployments. Block Request — Rejects the entire request. Strictest mode.
Sensitivity Level	Low / Medium / High / Maximum. Higher sensitivity catches more but increases false positives.
Log Detections	Write detection events to the security audit log
Block Response	Custom message returned when a request is blocked (only in Block mode)

Recommended: Start with Sanitize mode at Medium sensitivity. Monitor the audit log for false positives before increasing to High.

How It Works

The system scans all incoming messages and tool inputs for known prompt injection patterns:

System prompt override attempts ("Ignore previous instructions...")
Role confusion attacks ("You are now a different assistant...")
Delimiter injection (using special characters to break out of context)
Indirect injection via tool outputs (e.g., a fetched webpage containing injection)

SQL Injection Prevention

Detects and blocks SQL injection attempts in tool inputs and API request bodies.

Setting	Description
Enable Protection	Master toggle
Detection Mode	`Monitor Only` (log but allow) or `Block Request` (reject)
Scan Tool Arguments	Check arguments passed to agent tools (database queries, file operations, etc.)
Scan API Request Bodies	Check incoming API request payloads for SQL patterns
Log Detections	Write events to the audit log

Detection Patterns

Scans for common SQL injection vectors including:

Union-based injection (UNION SELECT)
Boolean-based blind injection (OR 1=1)
Time-based injection (SLEEP(), WAITFOR DELAY)
Stacked queries (semicolon-separated statements)
Comment-based evasion (--, /* */)

Input Validation

Sanitizes and validates all incoming data to prevent malformed or malicious payloads.

Setting	Default	Description
Max Input Length	100,000 chars	Reject inputs exceeding this length. Prevents memory exhaustion attacks.
Max JSON Depth	20 levels	Reject deeply nested JSON objects. Prevents stack overflow in parsers.
Strip HTML	Off	Remove all HTML tags from text inputs. Use when agents don't need HTML.
Block Scripts	On	Reject inputs containing `<script>` tags. Prevents XSS via agent outputs.
Sanitize Unicode	On	Normalize Unicode and remove invisible/homoglyph characters used for evasion.

Output Filtering

Scans agent outputs for secrets and personal information before they reach users or external systems.

Setting	Description
Filter Mode	Monitor Only — Log but don't modify outputs Redact Secrets — Replace detected secrets with `[REDACTED]` Block Output — Reject the entire response
Scan for Secrets	Detect API keys, passwords, tokens, connection strings
Scan for PII	Detect emails, phone numbers, SSNs, credit card numbers
Log Detections	Write events to the audit log

Important: Output filtering works alongside DLP rules. DLP provides more granular, rule-based detection. Output filtering here is a safety net that catches common patterns without custom rules.

Transport Encryption

Encrypts API data in transit between the dashboard and server using AES-256-CBC with HMAC verification. Provides application-layer encryption on top of HTTPS for defense-in-depth.

Why Use This?

HTTPS already encrypts traffic at the transport layer. Transport encryption adds a second layer that protects against:

Compromised TLS proxies — Corporate SSL inspection that decrypts and re-encrypts traffic
MITM attacks — Even if TLS is broken, data remains encrypted
Network sniffing — Encrypted payloads are opaque even if captured

Encryption Modes

Mode	Description
Encrypt All	Every dashboard API call is encrypted. SSE streams are automatically excluded (they don't support custom headers).
Sensitive Only	Pre-selected endpoint groups handling credentials and secrets (API keys, OAuth tokens, database URLs, vault).
Custom	Toggle individual endpoint groups and add custom path patterns.

Endpoint Groups

There are 22 endpoint groups covering every API area. Groups marked SENSITIVE handle credentials or secrets:

Models & API Keys SENSITIVE — LLM provider API keys
Authentication SENSITIVE — Login, sessions, tokens
Email & SMTP SENSITIVE — SMTP credentials, email configs
Database Connections SENSITIVE — Database URLs and credentials
Vault & Secrets SENSITIVE — Encrypted secret storage
Integrations SENSITIVE — OAuth tokens, org integrations
Memory SENSITIVE — Agent memories and transfer data
Settings, Agents, Skills, Organizations, Knowledge, Tasks, Workforce, Messages, Guardrails, Journal, Approvals, Compliance, Domain, Roles, Dashboard

Advanced Settings

Setting	Default	Description
Payload Max Age	300 seconds	Reject encrypted payloads older than this (replay attack protection)
Debug Logging	Off	Log encryption/decryption operations to browser console. Never enable in production.

For full technical details, see the Transport Encryption documentation.

Dependency & Package Management

Organization-wide defaults for how agents install software packages. Individual agents can override these in their Permissions tab.

Install Policy

Policy	Description
Auto	Agents install what they need without asking. Best for trusted environments.
Ask Manager	Agents must get human approval before installing any package.
Deny	No package installation allowed. Agents must use pre-installed tools.

Cross-Platform Support

The dependency manager automatically detects the platform and uses the appropriate package manager:

Platform	Package Managers
macOS	Homebrew (brew)
Ubuntu/Debian	apt
Fedora/RHEL	dnf
Arch Linux	pacman
Snap-enabled Linux	snap
Windows	Chocolatey, winget, Scoop
npm packages	npm (local install to temp dir, never global)
Python packages	pip

Safety Guarantees

Never touches existing installations — If a tool is already installed, agents use it as-is without upgrading or reinstalling.
npm packages install locally — Installed to a session temp directory (/tmp/agenticmail-deps-{pid}/), never globally. Cleaned up on session end.
Blocked packages — Packages listed here can never be installed by any agent, regardless of policy.
Auto-cleanup — Agent-installed packages are removed when the session ends (only agent-installed, never pre-existing).

Elevated Access

Setting	Description
Allow Global Installs	Permit system-level package installation (brew, apt, etc.). When off, only local npm/pip installs are allowed.
Allow Elevated (sudo)	Permit agents to use sudo for packages that require root (e.g., `apt install`). Requires a system password to be configured.
Allowed Managers	Whitelist which package managers agents can use.

Security note: Enabling elevated access gives agents the ability to install system-level software. Only enable this in trusted, isolated environments. The system password is stored encrypted in the server's security config.

Screen Unlock & Machine Access

Allows the system to automatically unlock the screen when agents need to interact with the desktop (browser automation, GUI tools, scheduled tasks).

How It Works

Agent detects the screen is locked (via system APIs)
System wakes the display if asleep (using caffeinate on macOS)
Types your password to unlock the screen (via AppleScript keystroke on macOS)
Agent performs the required action (browser, desktop automation, etc.)

Settings

Setting	Description
Enable Screen Auto-Unlock	Master toggle for all screen unlock features
System / Computer Password	Your macOS or Linux login password. Stored encrypted in the server's security config. Agents never see the raw password.
Check Screen Status	Shows whether the screen is currently locked or unlocked, and the platform
Unlock Now	Manually trigger an unlock (useful for testing)
Auto-Unlock on Agent Activity	Automatically unlock when an agent needs to use the browser, run desktop automation, or start a scheduled task
Prevent System Sleep	Keep the system awake using `caffeinate` (macOS) or `systemd-inhibit` (Linux). Prevents sleep while agents are active.

Platform Support

Platform	Lock Detection	Unlock Method	Sleep Prevention
macOS	Quartz session check	AppleScript keystroke	`caffeinate -u -t 2`
Linux	`loginctl` / `xdotool`	`loginctl unlock-session`	`systemd-inhibit`
Windows	Not supported	Not supported	Not supported

Security consideration: The password is stored in the server's encrypted security config. Only the server process has access — agents invoke the unlock via an API call and never handle the password directly. Still, ensure your server is properly secured.

Security Audit Log

Log and monitor security events across your instance.

Setting	Default	Description
Enable Audit Logging	On	Master toggle for security event logging
Retention (days)	90	How long to keep audit log entries before auto-deletion
Log Prompt Injection Attempts	On	Record detected prompt injection attempts
Log All Tool Calls	Off	Record every tool invocation by every agent. High volume — enable only for investigation.
Log API Access	Off	Record all API endpoint access. Very high volume.

Recent Security Events

The audit log section also displays the 10 most recent security events with severity levels (critical, high, medium, low). Click "Refresh" to fetch the latest events.

Best Practices

Recommended Configuration

Setting	Recommendation
Prompt Injection	Sanitize mode, Medium sensitivity
SQL Injection	Block mode, scan both tool inputs and API bodies
Input Validation	Enabled with defaults (100K max length, 20 JSON depth)
Output Filtering	Redact mode with both secret and PII scanning
Transport Encryption	Sensitive Only (or Encrypt All for high-security environments)
Dependency Management	Auto mode with blocked packages for security tools (nmap, metasploit)
Screen Unlock	Enabled only on dedicated agent machines, not shared workstations
Audit Logging	Enabled with 90-day retention, prompt injection logging on

Network & Firewall — IP filtering, egress rules, proxy, geo-blocking
Tool Security — Path sandbox, SSRF, command sanitizer
Transport Encryption — Detailed technical documentation
Data Loss Prevention — Rule-based content scanning
Audit Log — View and search all audit events
Agent Permissions — Per-agent dependency and security settings

AgenticMail Enterprise Documentation Report an issue

Security System

On This Page

Overview

Prompt Injection Defense

Settings

How It Works

SQL Injection Prevention

Detection Patterns

Input Validation

Output Filtering

Transport Encryption

Why Use This?

Encryption Modes

Endpoint Groups

Advanced Settings

Dependency & Package Management

Install Policy

Cross-Platform Support

Safety Guarantees

Elevated Access

Screen Unlock & Machine Access

How It Works

Settings

Platform Support

Security Audit Log

Recent Security Events

Best Practices

Recommended Configuration

Related Pages