7 controls
Operational across the product, the underlying platform, and the engineering team.
- 01Cloudflare Web Application Firewall in Block mode covering OWASP Top 10 and known malicious IP and bot signatures
- 02Cloudflare Full (strict) TLS — origin-side certificate validation prevents downgrade and man-in-the-middle scenarios
- 03Per-IP and per-account rate limiting on authentication, ingestion, and public APIs — enforced at the Cloudflare edge and at the origin
- 04Explicit CORS allowlists on every authenticated endpoint; wildcard origins blocked at the development guardrail level
- 05Production environments segregated from development at the platform level, in separate cloud accounts and projects
- 06Credentials managed centrally in Infisical, scoped per service, and rotated on personnel change or suspected exposure
- 07Required CI status checks enforced via repository merge rulesets — no merge without passing automated validation