Security & Limits
Nolxy provides layered security: API key authentication for proxy requests, JWT for management APIs, rate limiting, IP restrictions, CSRF protection, and hardened security headers.
API Key Authentication
Every proxy request must include a valid API key. Keys are SHA-256 hashed before storage — Nolxy never stores plaintext keys.
x-nolxy-api-key: DEMO_API_KEY
JWT Authentication (Management API)
The dashboard and management endpoints use JWT-based authentication with refresh token rotation.
Access Token
Short-lived (15 min), stored in HttpOnly secure cookie. SameSite: Lax.
Refresh Token
7-day TTL, HttpOnly secure cookie. SameSite: Strict, path-scoped.
Rotation
Refresh tokens rotate on use. Reuse detection revokes the entire token family.
Blacklisting
Compromised tokens can be blacklisted instantly (per-token and per-user).
Rate Limiting
Nolxy applies rate limits at multiple layers to protect against abuse and ensure fair usage.
Proxy Rate Limiting (per API key)
Requests per second (RPS) limits based on your plan. Enforced per API key using a sliding window. Returns 429 with Retry-After header.
Monthly Quota
Total requests per month based on your plan (e.g., Free: 10K, Starter: 1M). Enforced atomically with the RPS check. Returns 403 when exceeded.
Management API Limits (per IP)
Auth endpoints: 10 req / 5 min. General IP: 20 req / min. Authenticated user: 300 req / min. Prevents brute-force and scraping.
IP Restrictions
Restrict API key access to specific IP addresses or CIDR ranges. Configured per key via Security Rules.
403.10.0.0.0/8) for network ranges.Additional Protections
CSRF Protection
Origin header verification on all state-changing requests (POST, PUT, DELETE, PATCH). Applied only to management routes — zero overhead on proxy hot path.
Security Headers
Pre-computed headers on every response: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy, Permissions-Policy, and more. Zero allocation per request.
Path Sanitization
All proxy paths are sanitized to prevent directory traversal attacks (..), null byte injection (%00), and CRLF injection.
Body Size Limits
Enforced per plan. Prevents large payload abuse. Management endpoints have a separate strict body limit.
Service Accounts
Service accounts provide long-lived API keys for CI/CD pipelines and automated workflows. Unlike standard dashboard sessions (which are short-lived), service account keys are designed for non-interactive use.
Authorization: Bearer DEMO_SERVICE_TOKEN
Permissions
Each service account has granular permissions. Only the required permissions should be granted.
Key Lifecycle
Creation
Keys are shown once at creation. Store them securely in your CI/CD secrets (e.g., GitHub Actions secrets, GitLab CI variables).
Rotation
Rotate keys periodically via the dashboard. The old key is immediately revoked and a new one is generated.
Expiration
Optional expiry date. Expired keys are rejected automatically. Set expiration to enforce periodic rotation.
IP Whitelisting
Restrict key usage to specific IPs or CIDR ranges (e.g., GitHub Actions runner IPs).
Plan Requirements
Core security (API keys, basic rate limiting) is available on all plans. IP Restrictions and Webhooks are available on Starter plans and above. Service Accounts and advanced distributed protection are available on Pro plans and above.