By the way, HTTP Security Response Headers seem to be audited in the SOC2 process, so startups building dynamic web-facing apps will wind up being required to set these headers correctly.
This is important and I wish I understood the area better. Being a back end guy, I let Cloudflare protect stuff that I host, and anything else is on a service like Substack, rather than something I own.
It's just one more "This should only take an hour" to add to the pile :-)
It's important for the developers working on the system behind the endpoint to understand this. It doesn't apply only to Apache and Nginx, but to any custom "back end" process which vends an endpoint which is accessible to a browser or a mobile app. Maybe I should write an article about this. š¤
At the moment I have a manual nginx config on a system that only talks to Cloudflare for 80/443. I am shifting that machine to using Nginx Proxy Manager and there's another one that is getting Traefik. Everything they do is protected with Cloudflare Access, which they folded into their ZTNA stuff, which has a cumbersome name I refuse to learn. Basically nothing I serve up talks to anyone w/o their being a conversation and a manually added email so they can access it.
This is part of an overall effort to do more with Docker, due to things like Dify.ai and the MediaWiki Docker deploy.
Iand over here Iād be pleased if I could just get them to block global access to tcp/3306 š”
By the way, HTTP Security Response Headers seem to be audited in the SOC2 process, so startups building dynamic web-facing apps will wind up being required to set these headers correctly.
This is important and I wish I understood the area better. Being a back end guy, I let Cloudflare protect stuff that I host, and anything else is on a service like Substack, rather than something I own.
It's just one more "This should only take an hour" to add to the pile :-)
It's important for the developers working on the system behind the endpoint to understand this. It doesn't apply only to Apache and Nginx, but to any custom "back end" process which vends an endpoint which is accessible to a browser or a mobile app. Maybe I should write an article about this. š¤
At the moment I have a manual nginx config on a system that only talks to Cloudflare for 80/443. I am shifting that machine to using Nginx Proxy Manager and there's another one that is getting Traefik. Everything they do is protected with Cloudflare Access, which they folded into their ZTNA stuff, which has a cumbersome name I refuse to learn. Basically nothing I serve up talks to anyone w/o their being a conversation and a manually added email so they can access it.
This is part of an overall effort to do more with Docker, due to things like Dify.ai and the MediaWiki Docker deploy.