> ## Documentation Index > Fetch the complete documentation index at: https://upstash.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Security & Secrets ## Isolation Every Upstash Box runs in its own isolated container with a dedicated filesystem, process tree, and network stack. Boxes cannot communicate with or observe each other. Network access is restricted — containers cannot reach private networks, cloud metadata services, or other internal infrastructure. ## Environment Variables You can pass environment variables when creating a box. These are available to all code running inside the box, including your agent and any user-submitted code. ```tsx theme={"system"} const box = await Box.create({ runtime: "node", env: { DATABASE_URL: "postgres://...", ANTHROPIC_API_KEY: "sk-ant-...", }, }) ``` Environment variables are visible to all code running inside the box. If you run untrusted code, those secrets can be read by the untrusted code. For sensitive credentials, use [Attach Headers](/box/overall/attach-headers) instead. ## Attach Headers For injecting secret HTTP headers into outbound HTTPS requests without exposing them inside the container, see [Attach Headers](/box/overall/attach-headers). ## Blocked Environment Variables For system security, the following environment variables cannot be set: | Variable | Reason | | ----------------- | ------------------------------------ | | `PATH` | Prevents binary hijacking | | `HOME` | Prevents home directory manipulation | | `LD_PRELOAD` | Prevents shared library injection | | `LD_LIBRARY_PATH` | Prevents library path hijacking | | `NODE_OPTIONS` | Prevents Node.js flag injection | All other environment variables — including `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, and their `*_BASE_URL` variants — are allowed. The built-in agent runner uses its own isolated environment that overrides these per-run.