Compliance theater is easy: a PDF and a badge. A SOC2-minded edge is harder: consistent controls that every new hostname inherits.
Controls at the perimeter
- HSTS so browsers refuse insecure downgrade
- WAF chain for common exploit patterns
- Rate limiting on auth and public APIs
- Forward-auth for operator and admin surfaces
These are not optional toggles for “important” apps. They are the platform contract. If a service is public, it rides the chain.
See Security for the fuller picture, and Status when you need live confirmation that the edge is healthy.
Thoughts on this article?
Tell us what to cover next — or ask a question about running on CITRICLOUD.



