Ingress without policy is just a door. Traefik middlewares let us attach the same security story to every public route.
The chain we reuse
- WAF / request filtering for common exploit patterns
- HSTS so browsers refuse insecure downgrade
- Rate limits on auth and noisy public APIs
- Forward-auth for operator and admin surfaces
middlewares: - name: soc2-waf-chain - name: soc2-hsts - name: authelia-forwardauthNew apps inherit the chain. Exceptions require an explicit reason — and still keep TLS.
Thoughts on this article?
Tell us what to cover next — or ask a question about running on CITRICLOUD.



