# Security #### Read-Only Guarantee Expressions cannot assign variables, mutate the context, or produce side effects: * Assignment operators (=, +=, -=, ++, --) are rejected at the parser level * Mutating methods (.push(), .pop(), .splice(), .sort(), .reverse(), .shift(),\ .unshift()) are excluded from the method whitelist * Block-body arrows (x => { ... }) are rejected — no variable declarations or multi-statement\ logic * Context serialization — variables are serialized into the Worker's separate V8 heap, so even\ if an escape is found, mutations cannot propagate back to session state #### Blocked Globals Blocked Globals means that an expression or script cannot access global variables, global objects, or ambient system state. Only explicitly provided inputs are available. * eval, Function — Code execution * require, import — Module loading * process, global, globalThis — Node.js internals * setTimeout, setInterval — Async operations * fetch, XMLHttpRequest — Network access * console — Side effects * Proxy, Reflect — Meta-programming #### Protections Protections are the enforced safeguards that ensure expressions remain safe, predictable, and non‑abusive, even when they come from untrusted sources. They define *what an expression is allowed to do*, *what it can never do*, and *how far it is allowed to go*. * Think of protections as the **guardrails** around the expression engine. * Worker Isolation: Each expression runs in a separate V8 isolate * Hard Timeout: worker.terminate() kills hung expressions * Memory Limits: Worker heap size capped at 64MB (configurable) * Size Limits: Context, result, string, and array sizes enforced * Prototype Blocking: No access to \_\_proto\_\_, constructor, prototype * Auto-Recovery: Crashed workers are automatically replaced --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ixhello.com/ixhc2/technical-specifications/expression-engine/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.