Skip to main content

Security Overview

agent-browser includes comprehensive security features designed for safe AI agent deployments. All features are opt-in, ensuring existing workflows remain unaffected until you explicitly enable them.

Security Features

Authentication Vault

Store credentials locally with AES-256-GCM encryption. The LLM never sees passwords - only profile names. 
echo "mypassword" | agent-browser auth save github \
  --url https://github.com/login \
  --username myuser \
  --password-stdin

agent-browser auth login github
Learn more about Auth Vault

Domain Allowlist

Restrict browser navigation and network requests to trusted domains, preventing data exfiltration. 
agent-browser --allowed-domains "example.com,*.cdn.example.com" open example.com
Blocks:
  • Navigation to non-allowed domains
  • Sub-resource requests (scripts, images, fetch)
  • WebSocket and EventSource connections
  • navigator.sendBeacon calls
Learn more about Domain Allowlist

Action Policies

Gate destructive or sensitive actions with a static policy file. 
{
  "default": "deny",
  "allow": ["navigate", "click", "get", "snapshot"]
}

agent-browser --action-policy ./policy.json open example.com
Learn more about Action Policies

Action Confirmation

Require explicit approval for sensitive action categories. 
# Agent must get approval before running eval or downloading files
agent-browser --confirm-actions eval,download \
  --confirm-interactive \
  open example.com
Learn more about Action Policies

Content Boundaries

Wrap page output in delimiters so LLMs can distinguish tool output from untrusted content: 
agent-browser --content-boundaries snapshot
Output: 
---BEGIN PAGE CONTENT---
- heading "Example Domain" [ref=e1]
- link "Learn more" [ref=e2]
---END PAGE CONTENT---
This prevents prompt injection attacks where malicious page content tricks the LLM into executing unintended commands.

Output Length Limits

Prevent context flooding by truncating page output: 
agent-browser --max-output 50000 snapshot

Environment Variables

All security features can be configured via environment variables:
VariableDescription
AGENT_BROWSER_ENCRYPTION_KEY64-char hex key for AES-256-GCM encryption (generate with openssl rand -hex 32)
AGENT_BROWSER_ALLOWED_DOMAINSComma-separated allowed domain patterns
AGENT_BROWSER_ACTION_POLICYPath to action policy JSON file
AGENT_BROWSER_CONFIRM_ACTIONSAction categories requiring confirmation (comma-separated)
AGENT_BROWSER_CONFIRM_INTERACTIVEEnable interactive confirmation prompts (auto-denies if stdin is not a TTY)
AGENT_BROWSER_CONTENT_BOUNDARIESWrap page output in boundary markers
AGENT_BROWSER_MAX_OUTPUTMax characters for page output

Configuration File

Security settings can also be configured in agent-browser.json: 
{
  "allowedDomains": "example.com,*.cdn.example.com",
  "actionPolicy": "./policy.json",
  "confirmActions": "eval,download",
  "confirmInteractive": true,
  "contentBoundaries": true,
  "maxOutput": 50000
}

Best Practices

For AI Agent Deployments

  1. Always use domain allowlist - Prevents agents from navigating to unexpected sites or exfiltrating data
  2. Enable content boundaries - Protects against prompt injection attacks
  3. Use action policies - Restrict agent capabilities to minimum required actions
  4. Encrypt credentials - Store auth profiles with encryption enabled
  5. Limit output size - Prevent context flooding attacks

Example Secure Configuration

# Set encryption key (one-time setup)
export AGENT_BROWSER_ENCRYPTION_KEY=$(openssl rand -hex 32)

# Create action policy
cat > policy.json <<EOF
{
  "default": "deny",
  "allow": ["navigate", "click", "fill", "get", "snapshot"],
  "deny": ["eval", "download"]
}
EOF

# Run agent with security features enabled
agent-browser \
  --allowed-domains "myapp.com,*.myapp.com" \
  --action-policy ./policy.json \
  --content-boundaries \
  --max-output 50000 \
  open https://myapp.com

For Development

During development, you may want less restrictive settings: 
# More permissive but still safe
agent-browser \
  --confirm-actions eval,download \
  --confirm-interactive \
  open https://example.com

Security Considerations

Encryption Key Management

  • Auto-generated keys: Stored at ~/.agent-browser/.encryption-key with 0600 permissions
  • Manual keys: Set AGENT_BROWSER_ENCRYPTION_KEY environment variable
  • Backup: Keep a secure backup of your encryption key - encrypted data cannot be recovered without it

Domain Allowlist Limitations

  • Include CDN domains your target pages depend on (e.g., *.cdn.example.com)
  • Wildcard patterns like *.example.com also match the bare domain example.com
  • Data URI and blob URLs are allowed for sub-resources but blocked for navigation

Action Policy Evaluation

If eval action category is denied by policy, page scripts cannot restore original WebSocket/EventSource implementations. For maximum security, always deny eval when using domain allowlist.

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us