> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lyzr.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Password protection, best practices, HTTPS setup, and E2B cloud sandboxing for GitAgent deployments.

## Password Protection

```bash theme={null}
# Basic auth
GITAGENT_PASSWORD=mysecret gitagent --voice --dir ~/assistant

# With custom username (defaults to "admin")
GITAGENT_USERNAME=alice GITAGENT_PASSWORD=mysecret gitagent --voice --dir ~/assistant
```

* All HTTP routes show a login page instead of the UI
* WebSocket connections are rejected without valid auth cookie
* /health endpoint remains open (for load balancers)
* Cookie: HttpOnly, SameSite=Strict, 24-hour expiry
* Token is SHA-256 hash (password never stored in cookie)
* GITAGENT\_USERNAME sets the login username (defaults to "admin")

## Best Practices

| Practice                         | Detail                                     |
| -------------------------------- | ------------------------------------------ |
| Use HTTPS in production          | Via nginx, Caddy, or Cloudflare Tunnel     |
| Set GITAGENT\_PASSWORD           | When exposing to a network                 |
| Use --sandbox for untrusted code | Runs the agent in an isolated E2B cloud VM |
| Enable audit logging             | For compliance and incident review         |

## HTTPS Setup

**nginx reverse proxy**

```nginx theme={null}
server {
  listen 443 ssl;
  server_name agent.example.com;

  location / {
    proxy_pass http://localhost:3333;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}
```

**Cloudflare Tunnel (zero-config)**

```bash theme={null}
cloudflared tunnel --url http://localhost:3333
```

<Warning>
  Never expose port 3333 directly — always proxy via nginx, Caddy, or Cloudflare Tunnel in production.
</Warning>

## E2B Cloud Sandbox

Run the agent in an isolated E2B cloud VM via the `--sandbox` flag.

1. **Cloud VM isolation** — Agent runs inside an E2B cloud sandbox — fully isolated from your local machine.
2. **Filesystem isolation** — The sandbox has its own filesystem. Your host files are not accessible unless explicitly mounted.
3. **Remote repo support** — Use --sandbox-repo to clone a repository directly into the sandbox environment.
4. **API token required** — Set E2B\_API\_KEY in your environment — the E2B SDK reads it directly. --sandbox-token is a Git token for cloning the repository (falls back to GITHUB\_TOKEN / GIT\_TOKEN).

**Quick Start**

```bash theme={null}
# Run agent in an E2B cloud sandbox
gitagent --sandbox --dir ~/assistant

# Clone a remote repo into the sandbox
gitagent --sandbox --sandbox-repo https://github.com/user/repo --dir ~/assistant
```

<CardGroup cols={2}>
  <Card title="Compliance & Audit" icon="shield-check" href="/open-source/gitagent/enterprise/compliance">
    Risk levels, regulatory frameworks, and audit logging
  </Card>

  <Card title="Hooks" icon="webhook" href="/open-source/gitagent/capabilities/hooks">
    Block dangerous tool calls with pre\_tool\_use hooks
  </Card>

  <Card title="Interfaces" icon="terminal" href="/open-source/gitagent/interfaces">
    CLI, web, voice, and messaging access to GitAgent
  </Card>

  <Card title="Environment Variables" icon="file-code" href="/open-source/gitagent/configuration/environment-variables">
    GITAGENT\_PASSWORD, GITAGENT\_USERNAME, and E2B\_API\_KEY reference
  </Card>
</CardGroup>
