Skip to content
cfdemo.link

Security Operations: Hardening the Edge

The difference between a toy demo and a credible reference architecture is how it handles failure. We identified three critical threat vectors for the Vera Financial platform and engineered defences for each.

Threat Modelling

Section titled “Threat Modelling”

1. JWT Spoofing & Policy Bypass

Section titled “1. JWT Spoofing & Policy Bypass”

Threat: An attacker forges or replays a Cloudflare Access JWT to bypass identity checks on the Worker API. Defence: The Worker entrypoint requires the Cf-Access-Jwt-Assertion header in all non-dev environments. The ACCESS_AUD audience tag is configured in wrangler.jsonc for JWT signature verification against Cloudflare’s JWKS endpoint. Session IDs are derived from the authenticated email via HMAC, ensuring one user maps to one Durable Object instance.

2. The “Zombie Swarm”

Section titled “2. The “Zombie Swarm””

Threat: 200 contractors opening multiple tabs each, overwhelming the backend with WebSocket connections. Defence: Durable Objects with the Hibernation API. Each chat session is backed by a Durable Object, and the HMAC-derived session ID ensures one user maps to exactly one DO instance regardless of how many tabs they open. The Hibernation API allows idle DOs to sleep while Cloudflare maintains the WebSocket connection at the edge, eliminating compute duration charges during quiet periods.

3. Data Sovereignty

Section titled “3. Data Sovereignty”

Threat: M&A documents leaving the UK/EU jurisdiction. Defence: Data Localization Suite (DLS). We configured Regional Services to ensure that HTTPS traffic for our Workers is decrypted and processed only within the designated region. R2 buckets use the weur (Western Europe) location hint, and Durable Objects use jurisdiction restrictions to confine state to the EU.

PoC Limitations & Production Hardening

Section titled “PoC Limitations & Production Hardening”

This is a proof-of-concept. Several design decisions were made for speed that would need to be hardened for a production deployment:

  • Authentication: This PoC uses email OTP (One-Time Pin). Production would require OIDC or SAML integration with an enterprise Identity Provider (Azure AD, Okta), with enforced MFA (hardware keys or authenticator app).
  • JWT Verification: The PoC validates JWT presence but production should perform full cryptographic signature verification against Cloudflare’s JWKS endpoint in all code paths.
  • Role Mapping: Roles are currently derived from email patterns (e.g., +admin@). Production should use IdP group claims or Access custom SAML attributes.
  • RAG Evaluation: We have not benchmarked retrieval quality (precision/recall). The default bge-base-en-v1.5 embeddings may need fine-tuning for specific financial policy language.