Site Security Architecture - Akhil Akash Bindla

High-Level Architecture

Visitor (Browser)
    ↓ HTTPS + Browser Security
GitHub Pages (Static Frontend)
    ↓ Sanitized API Calls
FastAPI Backend (Render)
    ↓ Rate Limiting + Input Validation + Prompt Injection Filter
RAG Engine (FAISS + Resume/Projects Data)
    ↓ Safe Context Retrieval
LLM Response (Grok / OpenAI)

Each layer enforces security: static frontend minimizes attack surface, backend validates inputs, prompt filter blocks jailbreaks, RAG uses trusted data only.

OWASP Top 10 & AI-Specific Protections

A03: Injection (Classic + Prompt Injection)

▼

Risk: High – Malicious input executed as code or LLM override.

Defense: Input sanitization + dedicated prompt injection filter before RAG.

blocked_patterns = [
  "ignore previous instructions",
  "override system",
  "drop table",
  "system prompt"
]

def detect_injection(text):
    return any(p in text.lower() for p in blocked_patterns)

if detect_injection(user_input):
    return "Blocked: Potential prompt injection detected"

Result: All queries pass through filter — jailbreaks are blocked early.

A01: Broken Access Control

▼

Risk: Unauthorized access to sensitive areas.

Defense: Static frontend (GitHub Pages) – no server-side auth needed. Backend uses API keys (env vars) and CORS restrictions.

No admin endpoints exposed. All content is public by design.

A05: Security Misconfiguration

▼

Risk: Exposed debug modes, default creds, open ports.

Defense: Render env vars for secrets, no debug mode, dependency scanning via Dependabot, HTTPS enforced.

A07: Identification & Authentication Failures

▼

Risk: Weak login mechanisms.

Defense: No user authentication required – static public portfolio. Future API endpoints will use API keys or JWT.

A08: Software & Data Integrity Failures

▼

Risk: RAG poisoning, untrusted data sources.

Defense: RAG uses only trusted resume/projects data. No user-uploaded content. Vector store integrity checked on ingestion.

Implemented Security Practices

✔ HTTPS enforced (GitHub Pages default)
✔ Secrets in environment variables (Render)
✔ Input validation & sanitization on backend
✔ Prompt injection detection layer
✔ CORS policy restrictions
✔ Dependency monitoring (Dependabot)
✔ No persistent user data stored
✔ Principle of least privilege