AIARCOASC Docs

Network controls

TLS 1.3 only, HSTS preloaded, mTLS internal, per-project CORS and IP allow-list, private endpoints for storage.

What it is

Public surface: control plane and all *.asc.aiarco.com subdomains are TLS 1.3 only. TLS 1.2 fallback is disabled. HSTS is preloaded with max-age=63072000; includeSubDomains; preload.

Internal: control plane to runtime worker traffic is mTLS. Workers present client certificates issued by a short-lived internal CA; rotation is automated.

CORS: per-project allow-list. Wildcards (*) are rejected at boot time in production. The list is yours to manage in the dashboard or via POST /v1/projects/{p}/cors.

IP allow-list: optional per-project (or per-key) IP allow-list. When enabled, requests outside the list return 403 forbidden.

Private endpoints: object storage exposes a private endpoint per region so traffic from your Atlas pods never traverses the public internet. See Networking.

Security response headers: every control-plane response carries:

  • Strict-Transport-Security (HSTS, preload).
  • X-Content-Type-Options: nosniff.
  • X-Frame-Options: DENY.
  • Referrer-Policy: strict-origin-when-cross-origin.
  • Permissions-Policy: () (deny-all).

Quickstart

# Inspect headers
curl -sI https://api.asc.aiarco.com/v1/healthz | grep -iE 'strict-transport|x-content|x-frame|referrer|permissions'
 
# Update CORS allow-list
asc projects cors set my-proj --origins https://app.example.com,https://staging.example.com
client.projects.cors.set('my-proj', origins=['https://app.example.com','https://staging.example.com'])
await client.projects.cors.set('my-proj', { origins: ['https://app.example.com'] });

Limits & quotas

LimitDefaultBurstNotes
Min TLS1.3Control plane
HSTS max-age63072000 s (2 y)Preload-eligible
CORS origins per project100

API surface

  • POST /v1/projects/{p}/cors
  • POST /v1/projects/{p}/ip-allowlist