Endpoint Security Standard

How we secure API endpoints, from Cloudflare to our StarkNet gateway and application layer.

Endpoint Security

Field Value
Document ID STD-009
Classification Internal
Owner CTO (interim CISO)
Effective Date April 2026
Review Cycle Annual

This doc explains how we secure API endpoints β€” from Cloudflare at the edge, through our StarkNet gateway, to the application itself.

This applies to:

  • Public-facing APIs
  • Internal service-to-service calls
  • Mobile and web backends
  • Third-party integrations

See also: Server Security Policy (POL-020) and Web Application Security Policy (POL-023)

Device Endpoint Security

Authorized organizational assets (MacBooks, Windows laptops, GCP Linux VMs) are provided to employees. Each laptop is enrolled into Fleet (MDM + posture) and runs a Wazuh HIDS agent (telemetry + EDR) before being used for work.

Currently in place

Fleet (MDM + posture) on every laptop β€” manages device configuration, enforces encryption, and runs continuous posture checks

  • Mac: Apple Business Manager β†’ DEP zero-touch enrollment, or manual via fleet-enroll-mac.sh
  • Windows: Azure AD enrollment for corporate laptops; manual enrolment for non-AAD hosts
  • Configuration profiles pushed: FileVault (Mac), BitLocker + recovery key escrow (Windows), Application Firewall + stealth (Mac), screen lock policy
  • Posture policies (8): FileVault, BitLocker, firewall, screen lock, password complexity, OS up-to-date, Chrome up-to-date, Wazuh agent running. Failures surface in the Fleet dashboard
  • Software inventory + CVE detection via osquery + NVD feed
  • Remote lock + remote wipe available for any MDM-enrolled host (Fleet UI β†’ Hosts β†’ Wipe)
  • Configuration is GitOps β€” every Fleet change goes through a PR in the security repo (fleet/config/); Fleet UI is read-only at runtime

Wazuh agent on every laptop β€” serves as our HIDS + anti-malware layer

  • HIDS (Host Intrusion Detection) monitoring: failed logins, privilege escalation, suspicious processes
  • File Integrity Monitoring (FIM) on sensitive paths
  • Rootcheck scan every 12 hours β€” detects rootkits, trojans, hidden files/processes, policy-violating binaries
  • Vulnerability detection β€” reports installed package CVEs against NVD feed
  • Agents connect to wazuh-agents.wealthy.systems over TCP 1514
  • Enrolment scripts: agent-enroll.sh (Mac), agent-enroll-windows.ps1 (Windows), agent-enroll-gcp.sh (Linux)
  • Agent name derived from employee email (e.g., tushar-wealthy-in-office-mac)

OS-native anti-malware β€” complements Wazuh

  • macOS: XProtect (built-in, auto-updated by Apple)
  • Windows: Windows Defender (enabled by default)
  • Linux: Wazuh rootcheck is the primary control

Baseline expectations (Fleet-enforced via configuration profiles + posture policies)

  • FileVault on every Mac (BitLocker on every Windows laptop) β€” verified continuously by the Fleet filevault-enforced / bitlocker-enforced policies
  • Screen lock with password required immediately on lock β€” pushed via configuration profile, verified by screen-lock-enforced policy
  • Strong device password β€” pushed via password policy profile, verified by password-policy-enforced
  • OS kept current β€” verified by os-up-to-date policy (threshold bumped per Apple stable release)
  • Chrome kept current β€” verified by chrome-up-to-date policy

Verification

  • Fleet UI β†’ Hosts shows every enrolled laptop, last-checked-in time, posture pass/fail per policy
  • Fleet API exports per-host policy status (fleetctl get hosts --json) β€” auditable evidence trail
  • Wazuh agent_control -ls lists all connected agents and last-seen time
  • Wazuh Dashboard β†’ Vulnerabilities module shows per-agent CVE status
  • Cross-check: the Fleet wazuh-agent-running policy fails any laptop where the Wazuh daemon is not active β€” catches hosts where one tool is healthy but the other isn’t
  • Daily agent-health check is part of the SIEM Operations SOP (SOP-006)

Planned (not yet implemented)

The following device-level controls are on the roadmap:

Control Status Tracked as
Centralised patch management (OS-level forced updates, not just detection) Fleet posture policy detects out-of-date hosts; enforced auto-patching deferred H9
Posture-gated production access (laptop must pass Fleet checks before VPN/SSO grants access to prod systems) Not deployed β€” Fleet posture API exists; integration with IdP pending H10

Previously planned controls that are now in place:

  • macOS configuration profiles (FileVault, screen lock, firewall, stealth) β€” pushed via Fleet
  • Windows BitLocker enforcement β€” pushed via Fleet + Azure AD CSP, verified by posture policy
  • MDM enrolment β€” Fleet (open-source, self-hosted on GKE)

Lost / stolen device

  • Employee reports immediately to SecOps (security@wealthy.in) + HR
  • For MDM-enrolled hosts (DEP Mac, Azure-AD Windows): Fleet UI β†’ Hosts β†’ select host β†’ Lock or Wipe (issues Apple EraseDevice for Mac, MS-MDM RemoteWipe for Windows). Wipe is irreversible β€” confirm with HR/IT first.
  • For non-MDM-enrolled hosts (manual/BYOD): rely on FileVault / BitLocker disk encryption β€” recovery keys are held in Fleet’s escrow and are NOT released to the user, so the disk remains unreadable
  • Wazuh agent reports device disconnection in next heartbeat cycle
  • Google Workspace account access is revoked (see User Account Lifecycle (STD-014))
  • Treated as data breach only if disk encryption was unconfirmed at the time of loss

See also the Mobile Device Security Policy (POL-015) for personal mobile device controls and Third-Party & Vendor Management (POL-022) for contractor/vendor-issued devices.

Request Flow

We use two different request paths depending on the product.

Insurance Products

Client β†’ Cloudflare (DNS + DDoS) β†’ AWS CloudFront (WAF) β†’ Backend Services

Cloudflare handles DNS and initial DDoS filtering. AWS CloudFront enforces the WAF and does edge caching before routing traffic to the insurance backend services.

All Other Products (Broking, Mutual Funds, etc.)

Client β†’ Cloudflare (Proxy) β†’ GCP Load Balancer β†’ StarkNet Gateway β†’ Backend Services
  • Cloudflare acts as a full proxy, handling DNS, DDoS protection, caching, and bot management.
  • Google Cloud Load Balancer provides L7 load balancing and SSL termination.
  • StarkNet Gateway is our custom Go-based gateway that enforces authentication, rate limiting, and other security plugins.

Layer 1: Edge Security (Cloudflare)

DDoS Protection

Cloudflare provides enterprise-grade DDoS protection at multiple layers:

Layer Protection
L3 (Network) Volumetric attack mitigation, IP reputation filtering.
L4 (Transport) TCP/UDP flood protection, SYN flood mitigation.
L7 (Application) HTTP flood protection, challenge pages for suspicious traffic.

DDoS protection is enabled for all our zones with the sensitivity level set to “High” for financial services.

SSL/TLS

Setting Requirement
Minimum TLS Version TLS 1.2 (TLS 1.3 preferred)
SSL Mode Full (Strict) β€” validates the origin certificate
HSTS Enabled with min-age of 1 year
Always Use HTTPS Enabled

Bot Management

  • Bot Fight Mode: Enabled
  • Super Bot Fight Mode: Enabled with JavaScript detection
  • AI Scrapers/Crawlers: Blocked unless on an allowlist
  • Browser Integrity Check: Enabled

Layer 2: WAF (AWS CloudFront for Insurance)

Our AWS CloudFront distribution for insurance products uses a Web Application Firewall with the following rules:

Custom Rules

  • Country-Based Blocking: Blocks access from specific countries.
  • BlockCommonScannerPaths: Blocks requests for paths like /.env, /.git, /wp-admin, etc.

AWS Managed Rule Sets

  • AWSManagedRulesBotControlRuleSet: Identifies and blocks bot traffic.

Note: We should evaluate enabling more managed rule sets like OWASP Core, SQLi, and XSS protection.

Layer 3: Load Balancing (GCP for other products)

The Google Cloud Load Balancer is used for non-insurance products.

Setting Value
Scheme External HTTPS (L7)
SSL Policy MODERN profile (TLS 1.2 and 1.3 only)
Certificates Google-managed
Health Checks Every 10 seconds on the /health path

Backend services are in a private VPC with no direct internet access.

Layer 4: API Gateway (StarkNet)

StarkNet is our custom Go API gateway. This is the core security enforcement layer for all non-insurance traffic.

AuthPlugin

Validates JWT tokens via an external authentication service. It caches auth responses, forwards necessary headers, and bypasses OPTIONS requests for CORS.

RateLimitPlugin

Uses a Redis-backed Leaky Bucket algorithm.

Strategy Use Case
By IP Default for unauthenticated endpoints
By User ID Uses X-W-USER-id header for logged-in users
By Header For other custom rate-limiting scenarios

IPAccessControlPlugin

Provides IP whitelisting and blacklisting with CIDR support. Useful for whitelisting office IPs for admin endpoints or blocking known attackers.

GeoAccessControlPlugin

Country-based access control using the X-Client-Country header, which is populated by our IP Extraction Middleware.

CORSPlugin

Enforces strict Cross-Origin Resource Sharing policies. It validates browser security headers and strictly matches origins against an allowlist.

CircuitBreakerPlugin

Prevents cascade failures by monitoring backend health. If a service’s failure rate exceeds a threshold, the circuit opens, and requests are rejected until the service recovers.

Layer 5: Application-Level Controls

Input Validation

  • Schema validation using JSON Schema or Protocol Buffers.
  • Strict type checking and length limits.
  • Format validation with regex for structured data.

Database Security

  • All database queries use parameterized statements to prevent SQL injection.
  • We use an ORM with prepared statements.

Output Encoding

  • Context-aware encoding for HTML, JavaScript, and URLs to prevent XSS.

Error Handling

  • Generic error messages are shown to users.
  • Detailed errors are logged internally for debugging.
  • No stack traces are ever exposed in production responses.

Hardening Checklist

Control Verification Method Frequency
TLS 1.2+ enforced SSL Labs test, nmap Monthly
DDoS protection active Cloudflare dashboard Weekly
WAF rules reviewed AWS WAF console Weekly
Rate limiting configured StarkNet config review Monthly
Input validation enforced Code review, VAPT Per release
Parameterized queries Static code analysis (SAST) Per release

Monitoring & Alerting

We use OpenTelemetry, Grafana, and VictoriaMetrics. Alerts are sent to Slack.

Metric Alert Threshold Escalation
Rate limit hits > 1000/minute SRE on-call
Auth failures > 100/minute per IP Security team
WAF rule triggers > 50/minute Security team
Circuit breaker opens Any SRE on-call