This security policy applies to the PydanticAI Streamlit Financial Research Agent.
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
This application handles financial data and integrates with third-party APIs. Please review the following security considerations before deployment.
If you discover a security vulnerability, please report it by:
- DO NOT create a public GitHub issue
- Email the maintainers directly with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if available)
We will acknowledge your report within 48 hours and provide a detailed response within 5 business days.
- All API keys must be stored in a
.envfile - NEVER commit the
.envfile to version control - Verify
.envis in.gitignorebefore committing - Rotate API keys immediately if exposed
- User prompts and agent responses are logged to LogFire for observability
- Conversations may contain sensitive financial information
- LogFire data retention: Review LogFire's privacy policy
- Recommendation: Avoid entering personally identifiable information (PII)
Before deploying to production:
- Verify
.envfile is NOT committed to git - All API keys are valid and have appropriate rate limits
- HTTPS is configured via reverse proxy
- Security headers are set (X-Content-Type-Options, X-Frame-Options, etc.)
- Input validation is enabled (MAX_PROMPT_LENGTH enforced)
- Dependency vulnerabilities scanned with
pip-audit - Stack trace exposure is disabled in production
- Rate limiting is configured for all APIs
The application enforces the following rate limits:
- YFinance: 10 requests per 60 seconds (enforced by application)
- Tavily: Based on your Tavily API plan
- OpenAI: Based on your OpenAI API tier
User input is validated to prevent:
- Prompt injection attacks (via PydanticAI's built-in protections)
- Resource exhaustion (2000 character limit per message)
- Invalid ticker symbols (regex pattern validation)
This application depends on:
- OpenAI API (gpt-4o-mini model)
- Tavily API (web search)
- YFinance (stock data)
- LogFire (observability)
- OLLAMA (optional local LLM)
Each service has its own security policies and data handling practices.
-
API Key Security
- Never share your
.envfile - Use API keys with minimum required permissions
- Rotate keys regularly (every 90 days recommended)
- Monitor API usage for anomalies
- Never share your
-
Deployment Security
- Deploy behind HTTPS-enabled reverse proxy
- Use firewall rules to restrict access
- Enable logging and monitoring
- Keep dependencies updated
-
Data Handling
- Avoid entering sensitive personal information
- Do not use for financial advice without verification
- Review LogFire logs for sensitive data exposure
- Clear conversation history regularly
If you suspect an API key has been compromised:
-
Immediate Actions:
- Disable the compromised key in the provider's dashboard
- Generate a new API key
- Update
.envfile with new key - Restart the application
-
Investigation:
- Review API usage logs for unauthorized access
- Check LogFire logs for suspicious activity
- Review git history for accidental commits
-
Prevention:
- Verify
.envis in.gitignore - Use pre-commit hooks to scan for secrets
- Consider using a secrets manager (AWS Secrets Manager, Azure Key Vault)
- Verify
This application is designed for:
- Single-user sessions (no multi-user authentication)
- Non-production financial research
- Development and demonstration purposes
It is NOT designed for:
- Production financial trading systems
- Storing sensitive customer data
- High-security environments requiring compliance (PCI-DSS, HIPAA)
We are committed to maintaining the security of this application. Security updates will be released as needed.
To stay informed:
- Watch this repository for security advisories
- Review the SECURITY_AUDIT_REPORT.md for detailed findings
- Subscribe to security announcements for dependencies
This application does not currently comply with:
- PCI-DSS (payment card industry standards)
- HIPAA (health information privacy)
- SOC 2 (service organization controls)
- ISO 27001 (information security management)
For compliance requirements, additional controls must be implemented.
For security concerns, please contact the project maintainers.
Last Updated: 2025-12-27 Next Review: 2026-03-27 (Quarterly)