Isolation
Every Upstash Box runs in its own isolated container with a dedicated filesystem, process tree, and network stack. Boxes cannot communicate with or observe each other. Network access is restricted — containers cannot reach private networks, cloud metadata services, or other internal infrastructure.Environment Variables
You can pass environment variables when creating a box. These are available to all code running inside the box, including your agent and any user-submitted code.Attach Headers
For injecting secret HTTP headers into outbound HTTPS requests without exposing them inside the container, see Attach Headers.Blocked Environment Variables
For system security, the following environment variables cannot be set:| Variable | Reason |
|---|---|
PATH | Prevents binary hijacking |
HOME | Prevents home directory manipulation |
LD_PRELOAD | Prevents shared library injection |
LD_LIBRARY_PATH | Prevents library path hijacking |
NODE_OPTIONS | Prevents Node.js flag injection |
ANTHROPIC_API_KEY, OPENAI_API_KEY, and their *_BASE_URL variants — are allowed. The built-in agent runner uses its own isolated environment that overrides these per-run.