Network

Public traffic terminates at TLS-only ingress endpoints fronted by a Web Application Firewall. Production data stores have no direct internet path.

Transport

All public endpoints serve TLS 1.2 or higher only. Older protocol versions and weak cipher suites are rejected at the edge. Certificates are issued and rotated by an automated certificate management service.

Ingress and WAF

Public traffic enters through a managed CDN. A managed Web Application Firewall applies industry-standard rule sets (OWASP top-ten, known bad inputs, bot controls) plus Carriyo's own rules for endpoint-specific abuse patterns. Always-on layer-3/4 DDoS protection runs at the edge; layer-7 mitigation is handled by the WAF.

Internal segmentation

Carriyo runs on AWS with services deployed across private network segments. Application services have no direct internet path; outbound calls egress through controlled paths. Data stores accept connections only from the application tier, never from the public internet, never directly from the edge.

IP allowlisting

Per-tenant source-IP allowlisting is not currently offered. Access is gated at the application layer through OAuth credentials, API keys, and tenant scoping (see Authentication and Tenant isolation).