# Security Hardening

- Canonical URL: https://docs.fairvisor.com/docs/reference/security-hardening/
- Section: docs
- Last updated: n/a
> Secure-by-default deployment checklist for edge runtime.


## Network and exposure

- Keep `/v1/decision` internal-only (no public internet exposure)
- Restrict inbound callers to trusted gateways
- Restrict outbound egress to required SaaS endpoints only

## Secrets and credentials

- Store `FAIRVISOR_EDGE_TOKEN` in secret manager/K8s Secret
- Rotate tokens regularly and after incidents
- Never log or commit secret values

## Request trust boundaries

- Trust `X-Original-*` only from gateway boundary
- Do not trust client-supplied identity headers directly
- Normalize and validate forwarded headers consistently

## Runtime hardening

- Pin image tags and rollout via controlled promotion
- Enable minimal privileges in container runtime
- Keep fallback known-good bundle ready for emergency rollback

## Monitoring and audit

- Alert on `no_bundle_loaded`, SaaS disconnect, reject spikes
- Retain decision/reason telemetry for incident investigation