SecPrep logoSecPrep

Looking at this three-tier web application architecture, identify the key attack surface boundaries and name a high-priority control at each layer.

Three-tier web application architecture diagram showing a user/browser connecting through a CDN/WAF and load balancer to three app servers, which connect to a PostgreSQL database, a Secrets Manager, and an Auth/OIDC service

Edge (CDN/WAF): enforce TLS, rate-limit, and apply WAF rules for OWASP Top 10 patterns — but don't rely on WAF as the only control.

Compute layer (app servers): validate and authorize every request; use short-lived credentials fetched from Secrets Manager (not hardcoded); validate JWTs with a pinned algorithm.

Data layer (DB): use parameterized queries to prevent SQLi; enforce Row-Level Security (RLS); restrict the app's DB role to least privilege (no DDL, no cross-schema reads).

Auth Service: issue short-lived JWTs (≤15 min access tokens + refresh rotation); enforce MFA for privileged flows; validate aud/iss claims on every request.

Secrets Manager: rotate credentials on a schedule; audit access; never log secret values.

References

Practice this in the app →