Skip to main content

Edge — Cloud Armor WAF

Every request to *.denialbase.com first passes through a Google Cloud Armor security policy attached to the global HTTPS load balancer.

OWASP Core Rule Set v3.3 — enabled

  • SQL injection (sqli-v33-stable)
  • Cross-site scripting (xss-v33-stable)
  • Remote code execution (rce-v33-stable)
  • Local file inclusion (lfi-v33-stable)
  • Remote file inclusion (rfi-v33-stable)
  • Scanner detection (scannerdetection-v33-stable)
  • Protocol attacks (protocolattack-v33-stable)
  • Session fixation (sessionfixation-v33-stable)

Per-IP rate limiting at the edge

Adaptive thresholds per environment:
EnvironmentThresholdAction
Staging500 req/min5-minute 429 ban
Production1000 req/min5-minute 429 ban

Geoblocking

By default, *.denialbase.com serves US traffic. Non-US ranges are not blocked at the edge today, but traffic patterns are monitored. If your organization requires geofencing, contact security@denialbase.com.

Application — private VPC

Cloud SQL (private IP)

No public IP. Reachable only from the VPC. All connections TLS-encrypted.

Memorystore Redis (private IP)

VPC-peered private IP with AUTH and rediss:// TLS.

Cloud Run (serverless ingress)

VPC connector bridges Cloud Run to the private VPC. Ingress limited to the load balancer; direct Cloud Run URL is not publicly routable for internal endpoints.

Worker VM (private-only)

Background job worker has no public IP. Pulls artifacts and reports status over VPC.

CI/CD — Workload Identity Federation

GitHub Actions authenticates to GCP via Workload Identity Federation — Google exchanges a short-lived GitHub OIDC token for a GCP access token at deploy time. No static service-account keys are stored in GitHub secrets or anywhere else.
  • Trust bound to specific workflows and branches via attribute conditions.
  • Each access token is bounded to minutes, not hours.
  • All token exchanges are audit-logged in GCP.
  • No single failure mode (a leaked secret in a branch, a compromised GitHub PAT) can persistently authenticate as the deploy identity.

Secrets management

  • GCP Secret Manager for all runtime secrets (JWT keys, AR encryption keys, API tokens, database URLs).
  • No .env files on production hosts. Runtime loads from Secret Manager at boot.
  • Access is IAM-bound to the Cloud Run runtime service account and the worker service account only. Developer accounts do not have production Secret Manager access.
  • gitleaks scans every commit in CI for hardcoded secrets.

DDoS mitigation

  • Google Cloud Load Balancer absorbs volumetric DDoS at the Google edge.
  • Cloud Armor rate limiting as a second layer.
  • Application-level rate limiting (Rack::Attack) as a third layer.

Ingress and egress controls

  • Ingress — only the global load balancer can reach Cloud Run. Direct Cloud Run revision URLs are not used by production clients.
  • Egress — Anthropic, Sentry, SES, and Kaiser endpoints are the only outbound destinations from runtime. Egress traffic is audit-logged via VPC Flow Logs.

Organization policies

Terraform defines GCP organization policies that would, for example, block service-account key creation at the project level. These are gated off by default (var.enable_org_policies = false) because enabling them requires cross-project organization-level permissions that aren’t currently granted. Target: enable or document a compensating control by Q2 2026. See SOC 2 readiness.

Security headers

HeaderValue
Strict-Transport-Securitymax-age=31536000; includeSubDomains; preload
X-Content-Type-Optionsnosniff
X-Frame-OptionsDENY
Referrer-Policystrict-origin-when-cross-origin
Content-Security-PolicyStrict CSP, auto-generated from frontend/csp-config.json
Permissions-PolicyRestrictive defaults