Encryption, vulnerability scanning, secrets rotation, and WAF.
All data is encrypted at rest and in transit.
| Layer | Method |
|---|---|
| Data at rest | AES-256 |
| Data in transit | TLS 1.3 |
| Database connections | TLS required |
| Private networking | WireGuard (ChaCha20-Poly1305) |
| Secrets storage | AES-256-GCM with per-key encryption |
| Backups | AES-256, encrypted before leaving the instance |
Scan Docker images for known CVEs before every deployment:
rf security scan
Scanning image sha256:a8f3b2c1...
VULNERABILITIES FOUND
─────────────────────
CRITICAL (1)
CVE-2026-1234 openssl 3.0.12 → Fix: upgrade to 3.0.13
HIGH (3)
CVE-2026-2345 node 20.11.0 → Fix: upgrade to 20.11.1
CVE-2026-3456 libcurl 8.5.0 → Fix: upgrade to 8.6.0
CVE-2026-4567 zlib 1.3.0 → Fix: upgrade to 1.3.1
MEDIUM (7)
...
Deploy blocked: 1 critical vulnerability found.
Fix the critical issue or deploy with: rf deploy --allow-critical
Enable automatic scanning on every deploy:
security:
scan:
enabled: true
block_on: critical # critical, high, medium, or none
ignore:
- CVE-2026-9999 # Known false positive
Scan running images for newly discovered vulnerabilities:
rf security scan --running
Scanning 4 running services...
web (v43): 0 critical, 1 high, 3 medium
api (v43): 0 critical, 0 high, 2 medium
worker (v43): 0 critical, 0 high, 1 medium
cron (v43): ✓ No vulnerabilities
Rotate credentials without downtime:
rf secrets rotate DATABASE_PASSWORD
Rotating DATABASE_PASSWORD...
1. Generated new password
2. Updated database user credentials
3. Updated environment variable
4. Restarted services (rolling)
5. Verified connectivity
✓ DATABASE_PASSWORD rotated successfully
Old credential invalidated after 30-second grace period
security:
secrets_rotation:
DATABASE_PASSWORD:
interval: 30d
auto: true
REDIS_PASSWORD:
interval: 30d
auto: true
API_SIGNING_KEY:
interval: 90d
auto: true
notify: email:[email protected]
Require two-factor authentication for all team members:
rf security 2fa enforce
Team members who haven't enabled 2FA will be prompted on next login. Supports TOTP (Google Authenticator, Authy) and WebAuthn (hardware keys).
Every action is logged with who, what, when, and where:
rf audit list --last 7d
TIME ACTOR ACTION RESOURCE
2026-03-16 14:23 [email protected] deploy.created service:web (v43)
2026-03-16 14:10 [email protected] env.set STRIPE_KEY (production)
2026-03-16 13:45 [email protected] db.backup.created pg-main
2026-03-16 12:00 system autoscale.up service:api (2→4)
2026-03-15 18:30 ci/cd deploy.created service:web (v42)
# Filter by actor
rf audit list --actor [email protected]
# Filter by action
rf audit list --action "deploy.*"
# Export for compliance
rf audit export --since 90d --format csv --output audit-q1.csv
Restrict access to specific IP ranges:
# Dashboard access
rf security ip-allow dashboard --add 203.0.113.0/24
# Service access
rf security ip-allow api --add 198.51.100.0/24 --environment production
# View rules
rf security ip-allow list
Network-level DDoS mitigation is always on. Volumetric attacks are absorbed at the edge before they reach your instances.
rf security ddos status
DDoS Protection: Active
Mitigation mode: Automatic
Attacks blocked (30d): 3
Last attack: 2026-03-10 (2.3 Gbps, lasted 12 minutes, fully mitigated)