Security
All Tiers
Security Headers
All Calabi responses include hardened HTTP security headers applied by Istio EnvoyFilter:
| Header | Value |
|---|---|
Strict-Transport-Security | max-age=31536000; includeSubDomains; preload |
X-Frame-Options | SAMEORIGIN |
X-Content-Type-Options | nosniff |
X-XSS-Protection | 1; mode=block |
Referrer-Policy | strict-origin-when-cross-origin |
Permissions-Policy | geolocation=(self), microphone=(self), camera=(self) |
TLS
All traffic is encrypted in transit:
- TLS 1.2+ enforced at Istio Ingress Gateway (ACM wildcard certificate)
- mTLS between all internal pods (Istio ISTIO_MUTUAL mode)
- HSTS preload ensures browsers always use HTTPS
Secrets Management
Credentials never live in code or ConfigMaps. All secrets flow through:
AWS Secrets Manager (/calabi/{tenant}/{service}-{key})
↓ External Secrets Operator (ESO)
↓ Kubernetes Secret
↓ Pod environment variable (injected at runtime)
Network Isolation
- NetworkPolicy: Default deny-all ingress and egress between namespaces
- Explicit allow rules: Only Istio sidecar, DNS, ESO, and monitoring traffic permitted
- RDS/Search Engine: Accessible only from EKS node security group — no public endpoints
Data Encryption
| Layer | Encryption |
|---|---|
| Data in transit | TLS 1.2+ (all services) |
| RDS at rest | AWS managed KMS (enabled) |
| Search engine at rest | AWS managed KMS (enabled) |
| S3 buckets | SSE-S3 (server-side encryption) |
| EBS volumes (EKS nodes) | gp3 encrypted |
Reporting a Vulnerability
Email security@yourcompany.com with details. We aim to respond within 48 hours.