For the network security of the application, we enforce the following standards.

1. Virtual Private Network(VPN) + Jump Host( Bastion Host) Based Server Maintenance (Cluster Management Shell ) to enhance security. Reverse Proxying all network traffic to mask origin IP to enhance security. Apart from the above rules, additional measures could be added to enforce maximum security of data

2. Web Application Firewall (WAF) Configured at Domain level to prevent access to coronasafe.network from countries like US, China, Hongkong, Pakistan, Russian Federation Etc

3. Open Web Application Security Project (OWASP) core rule set based WAF rules implemented to protect common attack categories, including Structured Query Language (SQL) Injection and Cross-Site Scripting.

4. Customized WAF rules created to prevent common attacks and Bot Access

5. Autonomous system number (ASN) based lockdown in WAF against common threat matrix.

6. Sanity Check Based Block and Rate Limiting Enabled

7. Network-level Port Blocking allowing only ports 80 and 443 from the internet in the entire network

8. IP blacklist and lockdown based on Threat Score ( Score Greater than 8 is blocked) based on IP reputation.

9. Customized Content Security Policy (CSP) Header implemented to prevent common Clickjacking and other attacks.

10. HTTP Strict Transport Security (HSTS) preloaded domain-wide to enforce Hypertext Transfer Protocol Secure (HTTPS) only traffic with a Max-Age of 1 year

11. Origin to a domain, domain to domain, and domain to User traffic encrypted via Transport Layer Security 1.2 (TLS1.2) and above

12. Content Security Policy (CSP) and Certificate Transparency CT violations monitoring done to update threat matrix

13. The Domain Name System Security Extensions (DNSSEC) enabled to prevent domain takeovers. (DNSSEC protects against forged domain name system (DNS) answers. DNSSEC protected zones are cryptographically signed to ensure the DNS records received are identical to the DNS records published by the domain owner.)

14. Speed up of page load speed by the Implementation of Brotli Compression

15. HTTP/2 and HTTP/3(Quick User Datagram Protocol Internet Connections) enabled for faster network speeds

16. Automatic Branch-based Continuous integration (CI) and continuous delivery (CD) to prevent unauthorized access.

17. New pods are created before old pods with old code are terminated.

18. Database backups (Snapshots) are created daily at scheduled intervals and stored with Key Management Service (KMS) keys securely inside Cloud Infrastructure without external Access.

19. All Server Nodes, Volumes, and Database Instances are Encrypted with KMS-based Cryptographic Keys.

20. Database Connectivity allowed only using internal Private Network and allowed for the backend host only.