Skip to content

Weather App Security Controls

Weather App demonstrates defense in depth for a small web application: the backend is not a public API, production-like traffic is encrypted, runtime containers run with reduced privileges, and pipeline controls scan source code, dependencies, images and deployment manifests.

flowchart TB
source[Source code] --> pipeline[GitLab CI/CD]
pipeline --> registry[Private registry]
registry --> staging[VPS staging]
registry --> platform[Kubernetes platform]
source --> sourceControls[ESLint, Prettier, secret scans and tests]
pipeline --> pipelineControls[SAST, SCA, PBOM, SBOM, DAST and Plumber]
registry --> registryControls[SemVer tags, digests and image scans]
staging --> stagingControls[Traefik, HTTPS, WAF and Docker networks]
platform --> platformControls[NetworkPolicies, Kyverno, RBAC and External Secrets]

Backend Access

The backend rejects production API calls without X-Internal-Service-Token. Health endpoints remain available for probes and orchestration checks.

Frontend Proxy

Browser calls use relative /api/... paths. Nginx proxies API traffic to the backend and adds the internal service token.

CORS

Development can be permissive for local workflows. Production restricts origins and relies on the proxy token as the primary backend authorization control.

Error Handling

Backend responses avoid leaking provider internals. External provider failures are handled as application errors, not as raw stack traces.

  • Production Dockerfiles use multi-stage builds.
  • Runtime images copy only required application artifacts.
  • Containers run as non-root users where the base image supports it.
  • Nginx runtime directories are owned by the application user.
  • Dockerfiles are linted with Hadolint and scanned with container security tools.
  • Image scans run against pushed artifacts, not only against source files.
Layer Control Evidence
Edge Traefik HTTPS routing and redirect middleware Staging deployment and Traefik dashboard
Request filtering ModSecurity with OWASP CRS through Traefik WAF WAF middleware and DAST reports
Backend isolation Separate Docker network and frontend gateway VPS staging architecture and health checks
Kubernetes traffic Default-deny NetworkPolicies NetworkPolicy positive and negative tests
Kubernetes policy Kyverno non-root, probes and labels Policy reports and blocked workload tests
Secrets SOPS and Sealed Secrets for bootstrap Encrypted manifests and secret sync checks
  • GitLab SSH access goes through Cloudflare Access and Cloudflare Tunnel.
  • The VPS is reached through Zero Trust access paths rather than unrestricted public SSH.
  • CI service tokens are scoped for non-interactive automation.
  • Protected variables remain unavailable to untrusted pipeline contexts.
  • Kubernetes RBAC separates administrative and read-only application access.