Security & Zero Trust

Geobridge pairs Cloudflare Access with layered runtime protections to keep edge traffic and administrative surfaces locked down.

Ingress controls

• Admin APIs and consoles sit behind Cloudflare Access with SSO + MFA + device posture checks.
• Edge allow/deny lists (CF-Connecting-IP / X-Forwarded-For) block untrusted client IPs before request handling.
• Deploy tokens and service credentials are short-lived and scoped per environment.

Worker → origin trust

• Every edge request includes an HMAC-signed proof binding method/path/body, timestamps, and a nonce to prevent replay.
• Origin accepts the active or previous signing key during rotations; stale timestamps or seen nonces are rejected.
• Origin-to-secret store (Bao) uses renewable tokens held in memory only; losing renewal fails closed until re-unlocked.

Key handling

• API keys are salted and hashed at rest; plaintext is returned once on creation.
• Webhook callbacks are signed with caller-provided secrets; rotate them if leaked.
• Bulk job TTLs control result retention in R2; lifecycle rules enforce platform maximums.

Operational posture

• Structured logging and metrics exclude raw payloads; alerts page on webhook failures, bulk errors, and cache bypass spikes.
• KV ↔ D1 reconciliation keeps edge caches aligned with canonical metadata; drift triggers alerts.
• Access policy and allowlist changes are reviewed and logged; tests cover parser behavior for allow/deny rules.

Customer checklist

• Keep API keys secret; avoid embedding them in client-side code.
• Pin webhook endpoints to HTTPS and verify HMAC signatures on receipt.
• Align IP allowlists with your ingress expectations if you proxy traffic through fixed egress.

See Architecture for data flow context and Privacy & Telemetry for data handling details.