🔐 Secure Deployment
Deploy WebAssembly-powered AI models securely. Learn about sandboxing, secure compilation workflows, and best practices for production environments.
🛠 Back to Getting Started
Wasm Sandboxing by Default
WebAssembly runs in a secure sandbox that:
- No direct access to host system resources
- Memory isolation from host processes
- Execution isolated from browser tabs
Secure Compilation Workflow
npm install -g@wasm-ai/compiler
wasm-ai build --platform browser --optimize --secure
--output-path ./dist/models/
wasm-ai build --platform browser --optimize --secure
--output-path ./dist/models/
The `--secure` flag enables:
- ✓ Automated input validation
- ✓ Memory leak detection
- ✓ Cross-check for FFI vulnerabilities
Always Use HTTPS
Risk of HTTP
- • WebAssembly modules can be intercepted
- • Model parameters exposed to MITM
- • Session tokens easily captured
HTTPS Benefits
- • End-to-end encryption
- • Module integrity protection
- • Prevents tampering
// In your Express app
const express = require('express');
const https = require('https');
const fs = require('fs');
const app = express();
const httpsOptions = {
key: fs.readFileSync('ssl/private.key'),
cert: fs.readFileSync('ssl/cert.pem')
};
https.createServer(httpsOptions, app).listen(443);
Content Security Policy (CSP)
Add these headers to prevent unauthorized execution:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self';
X-Content-Type-Options: nosniff
Note:
Always test your CSP with the `report-uri` directive before enforcing in production.
CI/CD Integration
Automate security checks in your pipeline with:
GitHub Actions
- name: Security Scan uses: actions/security-checks@v2.0.0
Travis CI
before_install: - wasm-scan -security ./dist/ai-models
Docker
FROM node:18-alpine RUN adduser -D wasmuser USER wasmuser