Pull Zone security and observability

Lock down delivery with IP and TLS controls, add request signing, and keep visibility through analytics and logs.

Access controls and rate limits

• IP allowlist/blocklist per zone; a country blocklist placeholder exists for future rollout.
• Optional rate limiting defined as requests per minute to slow abusive clients without touching origin capacity.

TLS and headers

• SSL can be toggled per zone; certificates for hostnames are issued and renewed automatically.
• Security headers:
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy
  • Content-Security-Policy (freeform)
• CORS: enable the Access-Control-Allow-Origin header when browsers should fetch from other origins. Keep it off for private APIs.

WAF-style protections

• Block root path access when your origin should never serve /.
• Block common attack patterns (basic injection and traversal filters) with a single toggle.

AWS-style request signing

• Administrator-only setting that signs requests against S3-compatible backends.
• Provide bucket, key, and secret; keep the toggle off for public buckets and on for locked-down origins.

Analytics and logs

• Traffic analytics: daily traffic, total requests, cache performance, and status-code breakdowns.
• Request logs: inspect recent requests to spot cache misses, origin failures, or blocked traffic.
• Use analytics to validate cache rules after deployments; use logs to confirm IP rules and WAF behaviour without waiting for user reports.