5 Layers of Security: How TopFlow Mitigates OWASP Top 10
As a former CISO, I don't just talk about security—I implement it. Here's TopFlow's 5-layer defense-in-depth model and how it addresses every OWASP Top 10 vulnerability.
Security as a Showcase Priority
As a former CISO, I built TopFlow not just as a functional AI workflow builder, but as a demonstration of production-grade security architecture. Every line of code reflects 15 years of security leadership experience.
This post covers TopFlow's 5-layer defense-in-depth model and how it maps to the OWASP Top 10. All referenced source files are in the public GitHub repo.
The 5-Layer Security Model
TopFlow uses a defense-in-depth approach with five distinct security layers. Each layer addresses specific threats, and together they provide comprehensive protection:
Layer 1: Client-Side
Input sanitization, XSS prevention, CSP headers, AES-256-GCM encryption of API keys at rest
Layer 2: Transport
TLS 1.3, HSTS, secure headers
Layer 3: API Gateway
Sliding-window rate limiting (in-memory ↔ Upstash Redis), DDoS protection
Layer 4: Execution
SSRF prevention (provenance-aware), cycle detection, timeout enforcement, sandboxed JS
Layer 5: External APIs
HTTPS-only, user-held credentials (BYOK), no platform-managed secrets
OWASP Top 10 Coverage
Here's how TopFlow addresses key OWASP Top 10 vulnerabilities with specific implementation details:
A01: Injection
Risk: SQL injection, command injection, XSS attacks
Mitigation:
- Zod schemas validate all workflow inputs at the API boundary
- No direct database queries (stateless architecture eliminates SQL injection entirely)
- React auto-escapes JSX output by default
- JavaScript nodes use
new Function()instead ofeval()with a limited scope
import { z } from 'zod'
const WorkflowSchema = z.object({
nodes: z.array(z.object({
id: z.string(),
type: z.enum(['textModel', 'httpRequest', 'javascript', 'conditional', ...]),
data: z.record(z.string(), z.unknown()),
})),
edges: z.array(z.object({
source: z.string(),
target: z.string(),
})),
})A03: Sensitive Data Exposure
Risk: PII leakage, API key exposure, data breaches
Mitigation:
- No PII storage — the platform never receives or stores user workflow data
- API keys encrypted at rest with AES-256-GCM (Web Crypto API) before being written to localStorage — see lib/security/encryption.ts
- TLS 1.3 for all connections; HSTS headers enforce HTTPS
- Honest limitation: a client-held key is not XSS-proof — a script running in the page can read both the ciphertext and the key from localStorage. The encryption protects against plaintext-at-rest inspection and casual exfiltration, not against a script-injection attacker.
A05: Security Misconfiguration
Risk: Exposed endpoints, verbose errors, default credentials
Mitigation:
- Security headers (CSP, X-Frame-Options, X-Content-Type-Options)
- Error messages don't leak stack traces in production
- No default credentials — BYOK model means no platform-managed secrets exist
typescript.ignoreBuildErrorsremoved fromnext.config.mjs; CI enforces type-check on every PR
A10: Server-Side Request Forgery (SSRF)
Risk: Internal network access, cloud metadata credential theft
Mitigation:
- HTTPS/HTTP-only scheme allowlist — file://, ftp://, and all other schemes are rejected
- Private IP blocklist: 10.x, 172.16–31.x, 192.168.x, 127.x, 169.254.x, CGNAT, multicast/reserved
- Cloud metadata blocking: 169.254.169.254, metadata.google.internal, *.internal, *.local
- Provenance-aware exemption: engine-generated routes (e.g.
/api/scan/github) bypass the check; only user-supplied URLs are validated — see lib/security/ssrf.ts
Production-Grade Controls
Beyond OWASP, TopFlow implements additional security controls:
- Durable Rate Limiting: Sliding-window limiter (10 req/min per IP) backed by a pluggable store interface:
MemoryRateLimitStorein dev/test (injectable clock for deterministic unit tests),UpstashRateLimitStorein production (Redis-backed, durable across serverless instances) - Timeout Enforcement: 30-second maximum execution time prevents resource exhaustion
- Cycle Detection: DFS pre-execution check rejects cyclic graphs before any node runs — prevents infinite-loop resource exhaustion
- Input Validation: Zod schemas enforce type safety and constraints at every API boundary
Conclusion
Building secure applications isn't about adding security as an afterthought — it's about designing security into every layer from the start. TopFlow demonstrates that former CISOs can still code, and that security expertise translates directly into better architecture decisions.
Go Deeper
The AI Security Tutorial series covers each of these controls in full — threat models, attack trees, design trade-offs, and hands-on labs. Tutorials live in the GitHub repo alongside the code they document.