chapter nine

9 Deployment and security

This chapter covers

Mitigating prompt injection and API abuse
Securing API keys and managing rate limits
Maintaining GDPR and CCPA compliance
Monitoring and observing AI workflows
Deploying on hosted or self-hosted systems
Detecting injections and applying privacy controls

Deploying AI applications introduces risks that traditional software also faces. A single misconfigured API endpoint could expose sensitive user data to adversarial prompts, while unmonitored large language model (LLM) usage might lead to astronomical costs or regulatory violations. This is no different from using any other paid service provider, where you must abide by their code of conduct.

Consider again the stack technologies we’ve been utilizing, and some of their unique challenges:

9.1 Building a secure foundation with input validation, rate limits, and middleware

9.1.1 Input validation

9.1.2 Security middleware layer

9.2 Building a core security and data protection pipeline

9.3 Setting up authentication and authorization

9.3.1 Simple authentication with Clerk.js and Next.js

9.3.2 Practical security control: Rate limiting

9.4 API key and secrets management

9.4.1 Understanding Next.js environment variables

9.4.2 Application-level API keys

9.4.3 User-provided API keys

9.5 Data protection and compliance

9.5.1 Example: Adding anonymization to our chat messages

9.6 Deployment considerations for AI web applications

9.6.1 Deployment options

9.6.2 Production deployment checklist

9.6.3 Example deployment to Vercel

9.6.4 Alternative deployments: Netlify