Backend Access
The backend rejects production API calls without X-Internal-Service-Token.
Health endpoints remain available for probes and orchestration checks.
Weather App demonstrates defense in depth for a small web application: the backend is not a public API, production-like traffic is encrypted, runtime containers run with reduced privileges, and pipeline controls scan source code, dependencies, images and deployment manifests.
flowchart TB source[Source code] --> pipeline[GitLab CI/CD] pipeline --> registry[Private registry] registry --> staging[VPS staging] registry --> platform[Kubernetes platform]
source --> sourceControls[ESLint, Prettier, secret scans and tests] pipeline --> pipelineControls[SAST, SCA, PBOM, SBOM, DAST and Plumber] registry --> registryControls[SemVer tags, digests and image scans] staging --> stagingControls[Traefik, HTTPS, WAF and Docker networks] platform --> platformControls[NetworkPolicies, Kyverno, RBAC and External Secrets]Backend Access
The backend rejects production API calls without X-Internal-Service-Token.
Health endpoints remain available for probes and orchestration checks.
Frontend Proxy
Browser calls use relative /api/... paths. Nginx proxies API traffic to
the backend and adds the internal service token.
CORS
Development can be permissive for local workflows. Production restricts origins and relies on the proxy token as the primary backend authorization control.
Error Handling
Backend responses avoid leaking provider internals. External provider failures are handled as application errors, not as raw stack traces.
| Layer | Control | Evidence |
|---|---|---|
| Edge | Traefik HTTPS routing and redirect middleware | Staging deployment and Traefik dashboard |
| Request filtering | ModSecurity with OWASP CRS through Traefik WAF | WAF middleware and DAST reports |
| Backend isolation | Separate Docker network and frontend gateway | VPS staging architecture and health checks |
| Kubernetes traffic | Default-deny NetworkPolicies | NetworkPolicy positive and negative tests |
| Kubernetes policy | Kyverno non-root, probes and labels | Policy reports and blocked workload tests |
| Secrets | SOPS and Sealed Secrets for bootstrap | Encrypted manifests and secret sync checks |