CITRICLOUD — Building Digital Experiences
A SOC2-minded edge
Security2 Jul 20267 min

A SOC2-minded edge

WAF, HSTS, rate limits, and forward-auth — the middleware stack we put in front of public endpoints.

MK

Mira Kovacs

Security Engineering

ShareXLinkedInEmail

Compliance theater is easy: a PDF and a badge. A SOC2-minded edge is harder: consistent controls that every new hostname inherits.

Controls at the perimeter

  • HSTS so browsers refuse insecure downgrade
  • WAF chain for common exploit patterns
  • Rate limiting on auth and public APIs
  • Forward-auth for operator and admin surfaces

These are not optional toggles for “important” apps. They are the platform contract. If a service is public, it rides the chain.

See Security for the fuller picture, and Status when you need live confirmation that the edge is healthy.

Thoughts on this article?

Tell us what to cover next — or ask a question about running on CITRICLOUD.

Related articles

Zero-trust networking on CITRICLOUD
Security7 min

Zero-trust networking on CITRICLOUD

Stop trusting the LAN. How we authenticate every hop with identity-aware networking and deny-by-default paths.

MK

Mira Kovacs

Keycloak SSO for tenants
Security9 min

Keycloak SSO for tenants

Enterprise buyers expect SSO on day one. How we wire Keycloak so each tenant can bring their IdP without fracturing the platform.

MK

Mira Kovacs

Identity by default
Security8 min

Identity by default

How Authelia and Keycloak protect every surface — and why we refuse to treat auth as an optional plugin.

MK

Mira Kovacs

Newsletter

Platform notes in your inbox

Product updates, architecture write-ups, and security notes — no spam, unsubscribe anytime.

By subscribing you agree to our Privacy policy.