chore: import upstream snapshot with attribution
This commit is contained in:
@@ -0,0 +1,38 @@
|
||||
---
|
||||
title: Authentication and Access Control
|
||||
---
|
||||
|
||||
This guide covers the authentication mechanisms and access controls available in Context7, including API key handling and enterprise identity features.
|
||||
|
||||
## API Key Security
|
||||
|
||||
- API keys use cryptographic random generation
|
||||
- Keys are hashed and encrypted in our database
|
||||
- Keys can be rotated at any time from your dashboard
|
||||
- Rate limiting prevents abuse and unauthorized access
|
||||
|
||||
## Enterprise SSO
|
||||
|
||||
**Single Sign-On (SSO) is available for Enterprise plans.**
|
||||
|
||||
### Supported SSO Providers
|
||||
|
||||
- SAML 2.0
|
||||
- OAuth 2.0
|
||||
- OpenID Connect (OIDC)
|
||||
|
||||
### Enterprise Features
|
||||
|
||||
- Centralized user management
|
||||
- Teamspace access controls
|
||||
- Audit logs for compliance
|
||||
- Custom authentication policies
|
||||
|
||||
### Setup Guides
|
||||
|
||||
For step-by-step configuration on self-hosted deployments, see:
|
||||
|
||||
- [Microsoft Entra ID (SSO)](/enterprise/security/entra-sso) — wire up Entra ID sign-in for an On-Premise instance
|
||||
- [Microsoft Entra ID](/enterprise/enterprise-managed-auth/entra) — proxy the Context7 MCP server through Azure APIM with Entra authentication
|
||||
|
||||
Contact our sales team at [context7.com/contact](https://context7.com/contact) for Enterprise plan details.
|
||||
@@ -0,0 +1,31 @@
|
||||
---
|
||||
title: Best Practices for Users
|
||||
sidebarTitle: Best Practices
|
||||
description: Recommendations for using Context7 securely across credentials, repository access, and network usage
|
||||
---
|
||||
|
||||
These recommendations cover how to use Context7 securely across credentials, repository access, and network usage.
|
||||
|
||||
## Secure Your API Keys
|
||||
|
||||
- Never commit API keys to version control
|
||||
- Use environment variables for key storage
|
||||
- Rotate keys regularly
|
||||
- Use different keys for different environments
|
||||
- Revoke unused or compromised keys immediately
|
||||
|
||||
## Private Repositories
|
||||
|
||||
For private repository access:
|
||||
|
||||
- Only grant minimum required permissions
|
||||
- Use dedicated API keys for private repos
|
||||
- Regularly audit access permissions
|
||||
- Consider using GitHub Apps with fine-grained permissions
|
||||
|
||||
## Network Security
|
||||
|
||||
- Use HTTPS for all API communications (enforced)
|
||||
- Configure proxy settings securely if behind a firewall
|
||||
- Monitor API usage for unusual patterns
|
||||
- Implement request timeouts and retries
|
||||
@@ -0,0 +1,35 @@
|
||||
---
|
||||
title: Compliance and Reporting
|
||||
description: How Context7 handles security reporting, transparency, and compliance certifications
|
||||
---
|
||||
|
||||
How Context7 handles security reporting, transparency, and compliance.
|
||||
|
||||
## Reporting Security Issues
|
||||
|
||||
If you discover a security vulnerability:
|
||||
|
||||
1. **Do not** publicly disclose the issue
|
||||
2. Report via [GitHub Security](https://github.com/upstash/context7/security)
|
||||
3. Include detailed steps to reproduce the issue
|
||||
4. Allow reasonable time for us to address the issue
|
||||
|
||||
We take all security reports seriously and will respond promptly.
|
||||
|
||||
## Open Source
|
||||
|
||||
The Context7 MCP server is open source:
|
||||
|
||||
- Code is publicly available on GitHub
|
||||
- Community can audit and contribute
|
||||
- Transparent implementation and practices
|
||||
|
||||
Repository: [github.com/upstash/context7](https://github.com/upstash/context7)
|
||||
|
||||
## Compliance Certifications
|
||||
|
||||
Context7 benefits from Upstash's compliance certifications:
|
||||
|
||||
- SOC 2 Type II
|
||||
- GDPR compliant
|
||||
- ISO 27001 (in progress)
|
||||
@@ -0,0 +1,148 @@
|
||||
---
|
||||
title: Data Privacy
|
||||
description: How Context7 handles query storage, retrieval scope, and your data
|
||||
---
|
||||
|
||||
How Context7 handles privacy, retrieval scope, and data.
|
||||
|
||||
## Query Privacy
|
||||
|
||||
**Your original prompts and code stay with your AI assistant.**
|
||||
|
||||
When you use Context7 through an MCP client, the AI assistant (not the user directly) formulates search queries to retrieve relevant documentation. Here is what happens:
|
||||
|
||||
1. Your prompt is processed locally by your AI assistant (e.g., Cursor, Claude Code)
|
||||
2. The AI assistant formulates a search query and library name based on your request
|
||||
3. Only these formulated queries are sent to the Context7 API — your full prompt, source code, and conversation history are never transmitted
|
||||
4. The MCP tool descriptions explicitly instruct the AI assistant to strip sensitive information (API keys, passwords, credentials, personal data, and proprietary code) from queries before sending
|
||||
|
||||
### What is sent to the Context7 API
|
||||
|
||||
- `query` — a search query formulated by the MCP client (not your original prompt)
|
||||
- `libraryName` or `libraryId` — the library to look up
|
||||
- API key (if provided, for authentication)
|
||||
- MCP client name and version (e.g., IDE info, for analytics)
|
||||
- Transport type (`stdio` or `http`)
|
||||
- Client IP address, encrypted with AES-256-CBC (HTTP transport only, for rate limiting)
|
||||
|
||||
<Note>
|
||||
The MCP client formulates search queries on your behalf and is instructed not to include
|
||||
sensitive or confidential information. Your full prompts, code, and conversation context
|
||||
remain with your AI assistant and are never sent to Context7.
|
||||
</Note>
|
||||
|
||||
### Use of MCP Queries
|
||||
|
||||
The search queries formulated by the MCP client (not your original prompts) are used server-side in two ways:
|
||||
|
||||
**Documentation Reranking**
|
||||
|
||||
MCP-formulated queries are passed to LLMs to rerank and select the most relevant documentation for your request. Context7 uses well-known, trusted LLM providers for this purpose — including **OpenAI**, **Google Gemini**, and **Anthropic**.
|
||||
|
||||
**Benchmarking and Quality Improvement**
|
||||
|
||||
MCP-formulated queries are anonymously stored and used to benchmark retrieval accuracy and improve the documentation matching pipeline over time.
|
||||
|
||||
### Enterprise Controls
|
||||
|
||||
- On-premise Enterprise plans can use their own LLM provider for code extraction and private library ranking
|
||||
- On-premise Enterprise plans can disable public documentation usage, limiting context retrieval to privately indexed documentation only
|
||||
- Enterprise plans can disable query storage for benchmarking — however, this may affect the quality of context retrieval over time
|
||||
|
||||
Contact our sales team at [context7.com/contact](https://context7.com/contact) for Enterprise and on-premise plan details.
|
||||
|
||||
## Customizing What Is Shared
|
||||
|
||||
The Context7 MCP server is [open source](https://github.com/upstash/context7). If you want full control over what is sent as the `query` parameter, you can:
|
||||
|
||||
1. Fork the [Context7 MCP repository](https://github.com/upstash/context7)
|
||||
2. Edit the tool input descriptions in [`packages/mcp/src/index.ts`](https://github.com/upstash/context7/blob/master/packages/mcp/src/index.ts) — these descriptions instruct the AI assistant on how to formulate the query
|
||||
3. Build and run your custom MCP server locally
|
||||
|
||||
<Warning>
|
||||
The `query` parameter is used server-side for LLM-based reranking of documentation results. Modifying, redacting, or omitting the query can significantly reduce the relevance and quality of returned documentation.
|
||||
</Warning>
|
||||
|
||||
## Customizing What Is Retrieved
|
||||
|
||||
You can control retrieval scope from the **Policies** tab on your teamspace dashboard.
|
||||
|
||||
### Source Type Access
|
||||
|
||||
Toggle which types of documentation sources are accessible to your teamspace:
|
||||
|
||||
- **Public Repositories** — open-source repositories from GitHub, GitLab, and Bitbucket
|
||||
- **Websites** — documentation crawled from websites
|
||||
- **llms.txt** — documentation from llms.txt files
|
||||
- **Confluence** — Atlassian Confluence workspace pages and documentation
|
||||
- **Uploaded Files** — uploaded OpenAPI specifications and PDFs
|
||||
- **Private Sources** — private sources connected to this teamspace
|
||||
|
||||
<Frame>
|
||||

|
||||
</Frame>
|
||||
|
||||
### Library Filters
|
||||
|
||||
Restrict which libraries are accessible to your teamspace. You can choose between two modes:
|
||||
|
||||
- **Filter by Quality** — set criteria like verification status, minimum trust score, recency, blocked libraries, and more
|
||||
- **Select Manually** — pick specific libraries or organizations
|
||||
|
||||
<Frame>
|
||||

|
||||
</Frame>
|
||||
|
||||
## Data Handling
|
||||
|
||||
### Data Storage
|
||||
|
||||
**Context7 does not store your source files.**
|
||||
|
||||
- We only index and store **documentation** and **code examples** from repositories
|
||||
- Your code, and source files are not stored or shared
|
||||
- All indexed content is stored in a secure vector database optimized for retrieval
|
||||
|
||||
**What we store:**
|
||||
|
||||
- Library documentation
|
||||
- Code examples from documentation
|
||||
- Metadata about indexed libraries
|
||||
- Queries formulated by the MCP client
|
||||
|
||||
**What we don't store:**
|
||||
|
||||
- Your source code
|
||||
- Your original prompts or conversations
|
||||
- Your conversations with AI assistants
|
||||
|
||||
|
||||
### Privacy by Design
|
||||
|
||||
- **Data Minimization**: We only collect and store what's necessary
|
||||
- **Purpose Limitation**: Documentation data is used only for documentation retrieval
|
||||
- **Storage Limitation**: Automated cleanup of outdated data
|
||||
- **Transparency**: Clear documentation of what we collect and why
|
||||
|
||||
### GDPR Compliance
|
||||
|
||||
Context7 provides:
|
||||
|
||||
- The right to access your data
|
||||
- The right to delete your data
|
||||
- Data portability options
|
||||
- Clear consent mechanisms
|
||||
- Privacy-first data processing
|
||||
|
||||
### Data Residency
|
||||
|
||||
All indexed documentation and metadata are stored within Upstash's SOC 2 compliant infrastructure in the United States and the European Union.
|
||||
Cross-border data transfers comply with the EU General Data Protection Regulation (GDPR) and the EU-U.S. Data Privacy Framework (DPF), and enterprise customers can request region-specific data residency to meet local regulatory requirements.
|
||||
|
||||
|
||||
### Data Retention
|
||||
|
||||
- **Library Documentation**: Retained while the library is active and public
|
||||
- **API Logs**: Retained for 30 days for debugging and analytics
|
||||
- **User Data**: Retained according to your account status
|
||||
- **Deleted Data**: Permanently removed within 30 days of deletion request
|
||||
@@ -0,0 +1,19 @@
|
||||
---
|
||||
title: Data Safety
|
||||
description: How Context7 detects prompt injection and malicious content in indexed documentation
|
||||
---
|
||||
|
||||
## Prompt Injection and Malware Pattern Detection
|
||||
|
||||
Context7 indexes documentation from public and private sources. To prevent malicious content from reaching AI assistants, Context7 employs a **layered malicious content detection system**.
|
||||
|
||||
<Frame>
|
||||

|
||||
</Frame>
|
||||
|
||||
- **Robust Detection** — Content is analyzed using a classifier tailored for Context7 to identify prompt injection attempts and malware-related patterns
|
||||
- **Targeted Validation** — Suspicious content is subjected to additional checks
|
||||
- **Continuous Monitoring** — Flagged content is tracked and reviewed on an ongoing basis
|
||||
- **Regular Updates** — Detection logic is updated to address evolving attack methods and new injection techniques
|
||||
|
||||
This ensures that documentation retrieved through Context7 is safe to consume by both human developers and AI coding agents.
|
||||
@@ -0,0 +1,56 @@
|
||||
---
|
||||
title: Infrastructure Security
|
||||
sidebarTitle: Infrastructure
|
||||
description: The platform-level protections behind Context7, including hosting, abuse prevention, and secure development
|
||||
---
|
||||
|
||||
The operational and platform-level protections behind Context7, including hosted infrastructure, abuse prevention, and secure development practices.
|
||||
|
||||
## Platform Infrastructure
|
||||
|
||||
### SOC 2 Compliance
|
||||
|
||||
Context7 runs on **SOC 2 compliant infrastructure** provided by Upstash.
|
||||
|
||||
- Type II SOC 2 certified infrastructure
|
||||
- Regular security audits and assessments
|
||||
- Continuous monitoring and compliance checks
|
||||
- Industry-standard security controls
|
||||
|
||||
### Managed by Upstash
|
||||
|
||||
Context7's infrastructure is managed by the experienced Upstash team:
|
||||
|
||||
- 24/7 infrastructure monitoring
|
||||
- Automated security patching
|
||||
- DDoS protection and mitigation
|
||||
- Redundant backups and disaster recovery
|
||||
- Enterprise-grade reliability and uptime
|
||||
|
||||
### Upstash Security Practices
|
||||
|
||||
All security practices and certificates of Upstash apply to Context7 products:
|
||||
|
||||
- **Data Encryption**: Encryption at rest and in transit (TLS 1.2+)
|
||||
- **Network Security**: VPC isolation, firewall rules, and network segmentation
|
||||
- **Access Control**: Role-based access control (RBAC) and least privilege principles
|
||||
- **Audit Logging**: Comprehensive logging of all system activities
|
||||
- **Incident Response**: Documented incident response procedures
|
||||
- **Vulnerability Management**: Regular security scanning and penetration testing
|
||||
|
||||
|
||||
## Rate Limiting and Abuse Prevention
|
||||
|
||||
- IP-based rate limiting for anonymous requests
|
||||
- API key-based rate limiting with tiered limits
|
||||
- Automatic detection and blocking of abusive patterns
|
||||
- Protection against DDoS and scraping attacks
|
||||
|
||||
## Secure Development Practices
|
||||
|
||||
- Regular security code reviews
|
||||
- Automated dependency scanning
|
||||
- Secure CI/CD pipelines
|
||||
- Principle of least privilege for all systems
|
||||
- Security testing in development lifecycle
|
||||
|
||||
@@ -0,0 +1,59 @@
|
||||
---
|
||||
title: Security
|
||||
sidebarTitle: Overview
|
||||
description: An overview of Context7's security practices, data handling, and compliance measures
|
||||
---
|
||||
|
||||
Context7 takes security and privacy seriously. This page outlines our security practices, data handling, and compliance measures.
|
||||
|
||||
## Highlights
|
||||
|
||||
- Your original prompts stay with your AI assistant; Context7 only receives search queries formulated by the MCP client, which is instructed to strip sensitive data before sending them
|
||||
- Documentation is indexed inside SOC 2 compliant infrastructure operated by Upstash
|
||||
- API keys are encrypted, rate limited, and easy to rotate from your dashboard
|
||||
- Enterprise customers can enable SSO (SAML, OAuth, OIDC) and receive dedicated audit trails
|
||||
- The [Context7 Addendum](https://upstash.com/trust/context7addendum.pdf), [Upstash Terms and Privacy Policy](https://upstash.com/docs/common/help/legal) applies to all users; see [trust.upstash.com](https://trust.upstash.com/) for full infrastructure compliance details, certifications
|
||||
|
||||
## Security Areas
|
||||
|
||||
Explore the main security topics in Context7:
|
||||
|
||||
<CardGroup cols={2}>
|
||||
<Card title="Data Privacy" icon="shield" href="/security/data-privacy">
|
||||
Learn how Context7 handles privacy, retrieval scope, and data.
|
||||
</Card>
|
||||
<Card title="Infrastructure" icon="server" href="/security/infrastructure">
|
||||
Review platform protections, operational controls, abuse prevention, and secure development practices.
|
||||
</Card>
|
||||
<Card title="Authentication and Access Control" icon="key" href="/security/auth-and-access-control">
|
||||
See how API keys, SSO, and enterprise access controls are handled.
|
||||
</Card>
|
||||
<Card title="Data Safety" icon="magnifying-glass" href="/security/data-safety">
|
||||
Understand how Context7 detects malicious content and prevents it from reaching AI assistants.
|
||||
</Card>
|
||||
<Card title="Compliance and Reporting" icon="badge-check" href="/security/compliance-and-reporting">
|
||||
Find reporting guidance, transparency commitments, and compliance details.
|
||||
</Card>
|
||||
<Card title="Best Practices" icon="book-open" href="/security/best-practices">
|
||||
Follow practical recommendations for using Context7 securely.
|
||||
</Card>
|
||||
</CardGroup>
|
||||
|
||||
Context7 also uses verification badges to help signal trusted libraries. For full verification details, see [Library Verification](/howto/verification).
|
||||
For more details on how Context7 handles quality and safety, see the [Quality and Safety in Context7](https://upstash.com/blog/context7-quality-and-safety) blog post.
|
||||
|
||||
## Questions and Support
|
||||
|
||||
For security-related questions:
|
||||
|
||||
- Contact us through [GitHub Issues](https://github.com/upstash/context7/issues)
|
||||
- Join our [Discord Community](https://upstash.com/discord)
|
||||
- Enterprise customers: Contact your dedicated support team
|
||||
|
||||
For privacy policy details, visit: [context7.com/privacy](https://context7.com/privacy)
|
||||
|
||||
---
|
||||
|
||||
**Last Updated**: March 2026
|
||||
|
||||
We continuously improve our security practices. Check this page regularly for updates.
|
||||
Reference in New Issue
Block a user