Security

Lift security features including SSH key management, config protection, shell injection prevention, environment file security, rate limiting, and Traefik reverse proxy.

Security

SSH Key Management

During lift init, Lift discovers SSH keys from ~/.ssh/ and lets you choose one. You can also use SSH Agent (omit privateKey). The key path supports ~ expansion.

.lift.json Protection

The config file is automatically added to .gitignore. If Lift detects that .lift.json is tracked in git, it displays a warning during push:

WARNING: .lift.json is tracked in git!
This file may contain server credentials. Add it to .gitignore:
  echo ".lift.json" >> .gitignore && git rm --cached .lift.json

Shell Injection Protection

All user-provided values (tool names, container names, branch names, env variables, command arguments) are sanitized before being passed to shell commands:

shellEscape() -- Escapes shell metacharacters for safe command interpolation
sanitizeName() -- Strips unsafe characters from names, allowing only [a-z0-9-]
Tool names, instance names, and branch names are validated with strict regex patterns

Environment File Security

Environment files on the server are stored with strict permissions:

Location: /opt/lift/envs/<app>.env
Permissions: 600 (read/write by owner only)
Owner: root:root
Automatic backup before every write (timestamped .bak files)

Rate Limiting

Traefik (Application Level)

When Traefik is active, you can configure rate limiting to protect your application:

{
  "rateLimit": {
    "average": 100,
    "burst": 50
  }
}

Platform Level

The OneLift platform applies multi-layer rate limiting to API operations (tool installs, backups, restores):

Endpoint debounce -- 3s cooldown on duplicate requests
Sliding window -- Per-user hourly limits based on subscription tier
Queue capacity -- Prevents queue flooding
Job dedup -- Prevents duplicate operations via BullMQ jobId
Abuse detection -- Auto-throttle on repeated limit hits

All rate limiting is fail-open: Redis errors never block operations.

See Rate Limiting Architecture for full details.

Traefik Reverse Proxy

When you configure a domain in .lift.json, Lift automatically sets up Traefik as a reverse proxy with the following features:

Automatic HTTPS -- Let's Encrypt certificates, auto-renewed
HTTP to HTTPS redirect -- All HTTP traffic is redirected to HTTPS
Rate limiting -- Configurable via rateLimit in .lift.json
Docker labels -- Routing rules are applied via Docker container labels
Docker Compose override -- When using Compose, a docker-compose.lift.yml override is generated with Traefik labels

For integration with platforms that already run Traefik, set the network to the existing network name and adjust the entrypoint accordingly:

{
  "network": "my-proxy",
  "entrypoint": "https"
}

Architecture Overview -- How Lift works under the hood
Operation Modes -- Project, Server, and Local modes
lift init -- Initialize a project with .lift.json
lift push -- The deploy command

PreviousOperation Modes NextRate Limiting