CITRICLOUD — Building Digital Experiences
Traefik middlewares explained
Platform7 Jul 20268 min

Traefik middlewares explained

WAF, HSTS, rate limits, and forward-auth — how the middleware chain turns every hostname into a SOC2-minded edge.

AN

Alex Novak

Founder & Platform

ShareXLinkedInEmail

Ingress without policy is just a door. Traefik middlewares let us attach the same security story to every public route.

The chain we reuse

  1. WAF / request filtering for common exploit patterns
  2. HSTS so browsers refuse insecure downgrade
  3. Rate limits on auth and noisy public APIs
  4. Forward-auth for operator and admin surfaces
textCITRICLOUD
middlewares: - name: soc2-waf-chain - name: soc2-hsts - name: authelia-forwardauth

New apps inherit the chain. Exceptions require an explicit reason — and still keep TLS.

Thoughts on this article?

Tell us what to cover next — or ask a question about running on CITRICLOUD.

Related articles

Backup and restore playbook
Platform8 min

Backup and restore playbook

Backups that only exist on paper fail when you need them. Here is how we design restore drills that actually pass.

AN

Alex Novak

GitOps delivery on CITRICLOUD
Platform9 min

GitOps delivery on CITRICLOUD

How Argo CD, Traefik, and environment promotion keep production changes reviewable and reversible.

AN

Alex Novak

A SOC2-minded edge
Security7 min

A SOC2-minded edge

WAF, HSTS, rate limits, and forward-auth — the middleware stack we put in front of public endpoints.

MK

Mira Kovacs

Newsletter

Platform notes in your inbox

Product updates, architecture write-ups, and security notes — no spam, unsubscribe anytime.

By subscribing you agree to our Privacy policy.