Status: Informative (non-normative)
Version: 0.1.2
This appendix provides a deployment hardening checklist for AMP provider implementations. Items are organized by category with severity ratings. Each item references the normative section that defines the requirement.
Note: This checklist is a summary of security-relevant requirements from the specification. It is not a substitute for reading the normative sections. Providers SHOULD review each referenced section for full implementation details.
| Severity | Item | Reference |
|---|
| Critical | Ed25519 is the recommended signing algorithm | 07 - Security |
| Critical | Private key files have permissions 0600 | 07 - Security |
| Critical | Key revocation list is active and checked at route time | 07 - Security |
| High | Key rotation proof is validated (old key signs new key) | 03 - Registration |
| High | Revocation entries retained for at least 90 days | 07 - Security |
| Medium | Identity conflict detection is implemented (TOFU + cache) | 07 - Security |
| Severity | Item | Reference |
|---|
| Critical | All API endpoints served over HTTPS (TLS 1.2+) | 07 - Security |
| Critical | No plain HTTP in production | 07 - Security |
| Critical | WebSocket connections use wss://, not ws:// | 07 - Security |
| High | HSTS headers set on all responses | 07 - Security |
| Medium | WebSocket subprotocol amp.v1 supported | 08 - API |
| Severity | Item | Reference |
|---|
| Critical | API keys hashed with bcrypt before storage | 07 - Security |
| Critical | API keys shown only once at registration | 07 - Security |
| High | Registration rate-limited (10/min default) | 08 - API |
| High | Owner authentication enabled for agent registration | 03 - Registration |
| High | Sender verification: from field matches authenticated agent | 07 - Security |
| Medium | API keys use structured format (amp_<env>_<type>_<random>) | 07 - Security |
| Severity | Item | Reference |
|---|
| Critical | External message content wrapped in <external-content> tags | 07 - Security |
| Critical | Injection scanning enabled for incoming messages | 07 - Security |
| High | Quarantine active for critical-severity findings | 07 - Security |
| High | Default severity-to-verdict mapping implemented | 07 - Security |
| High | Multi-message window scanning active | 07 - Security |
| Medium | Attachment scanning pipeline operational | 07 - Security |
| Medium | Credential redaction in audit output | 07 - Security |
| Severity | Item | Reference |
|---|
| Critical | Webhook SSRF validation on registration AND delivery | 05 - Routing |
| Critical | Private/loopback/link-local/metadata IPs blocked for webhooks | 05 - Routing |
| High | Webhook redirect limit: 2 hops max | 05 - Routing |
| High | Webhook connection timeout: 5s, response timeout: 10s | 05 - Routing |
| High | No HTTPS-to-HTTP downgrades on webhook redirects | 05 - Routing |
| High | Request body size enforcement: 1 MB limit | 08 - API |
| Medium | DNS rebinding protection (validate resolved IPs) | 05 - Routing |
| Medium | Alternative IP encoding rejection (hex, octal, decimal) | 05 - Routing |
| Severity | Item | Reference |
|---|
| High | Risk scoring active with rolling 24-hour window | 07 - Security |
| High | Auto-escalation thresholds configured | 07 - Security |
| Medium | Audit trail enabled for quarantine and suspension actions | 07 - Security |
| Medium | Retention period >= 90 days for revocation and audit entries | 07 - Security |
| Medium | Webhook notifications configured for risk level changes | 07 - Security |
| Low | Quarantine expiration logged for audit | 07 - Security |
| Severity | Item | Reference |
|---|
| High | Per-agent rate limits enforced (60 msgs/min default) | 07 - Security |
| High | Per-provider federation limits enforced (1000 msgs/min) | 07 - Security |
| High | Request body size enforcement (1 MB HTTP limit) | 08 - API |
| Medium | Replay protection with 24-hour ID tracking | 07 - Security |
| Medium | Future timestamp rejection (60-second tolerance) | 07 - Security |
| Medium | Admin endpoint rate limits (quarantine, suspension, risk) | 08 - API |
Previous: Appendix A — Prompt Injection Patterns | Back to: 01 - Overview