Network controls
TLS 1.3 only, HSTS preloaded, mTLS internal, per-project CORS and IP allow-list, private endpoints for storage.
What it is
Public surface: control plane and all *.asc.aiarco.com subdomains are TLS 1.3 only. TLS 1.2 fallback is disabled. HSTS is preloaded with max-age=63072000; includeSubDomains; preload.
Internal: control plane to runtime worker traffic is mTLS. Workers present client certificates issued by a short-lived internal CA; rotation is automated.
CORS: per-project allow-list. Wildcards (*) are rejected at boot time in production. The list is yours to manage in the dashboard or via POST /v1/projects/{p}/cors.
IP allow-list: optional per-project (or per-key) IP allow-list. When enabled, requests outside the list return 403 forbidden.
Private endpoints: object storage exposes a private endpoint per region so traffic from your Atlas pods never traverses the public internet. See Networking.
Security response headers: every control-plane response carries:
Strict-Transport-Security(HSTS, preload).X-Content-Type-Options: nosniff.X-Frame-Options: DENY.Referrer-Policy: strict-origin-when-cross-origin.Permissions-Policy: ()(deny-all).
Quickstart
# Inspect headers
curl -sI https://api.asc.aiarco.com/v1/healthz | grep -iE 'strict-transport|x-content|x-frame|referrer|permissions'
# Update CORS allow-list
asc projects cors set my-proj --origins https://app.example.com,https://staging.example.comclient.projects.cors.set('my-proj', origins=['https://app.example.com','https://staging.example.com'])await client.projects.cors.set('my-proj', { origins: ['https://app.example.com'] });Limits & quotas
| Limit | Default | Burst | Notes |
|---|---|---|---|
| Min TLS | 1.3 | — | Control plane |
| HSTS max-age | 63072000 s (2 y) | — | Preload-eligible |
| CORS origins per project | 100 | — |
API surface
POST /v1/projects/{p}/corsPOST /v1/projects/{p}/ip-allowlist