Security

Security is in the
infrastructure, not a policy.

WAF, bot scoring, zero-credential identity, and infrastructure isolation are not bolt-ons. They are default, always-on components in the path of every request and every provisioned resource.

9
OWASP WAF rule categories
6
Bot scoring signals
259k
Geo-IP CIDR ranges
Zero
Stored credentials in infra
OWASP TOP 9

Web Application Firewall

  • SQL injection — parameterized pattern matching across query strings, bodies, and headers
  • Cross-site scripting (XSS) — script tag, event handler, and JavaScript URI detection
  • Remote file inclusion (RFI) — scheme and path-traversal pattern blocking
  • Path traversal — `../` and encoded variant normalization before matching
  • Local file inclusion (LFI) — sensitive file path pattern matching
  • Command injection — shell metacharacter and backtick detection
  • LDAP injection — special character and filter escape blocking
  • XML/XPath injection — entity and axis expression detection
  • HTTP method enforcement — only GET / POST / PUT / PATCH / DELETE / HEAD / OPTIONS allowed
MULTI-SIGNAL SCORING

Bot Protection

  • Per-IP request rate monitoring — sliding window counters per 10-second and 60-second intervals
  • Path heuristics — unusual endpoint probing patterns (admin, wp-admin, .env, .git, etc.) scored
  • IP reputation lists — known scanner and malicious IP ranges checked at edge ingress
  • User-agent analysis — headless browser and known bad-actor agent strings scored
  • Geo-IP context — requests from high-risk regions receive elevated scrutiny, not auto-block
  • Composite scoring — no single signal blocks; weighted combination reduces false positives
259K+ IPv4 RANGES

Geo-IP Routing

  • 259,824 IPv4 CIDR ranges from all five Regional Internet Registries (ARIN, RIPE, APNIC, LACNIC, AFRINIC)
  • Updated from RIR delegation files at container startup and periodically in operation
  • Country-level resolution — used for routing logic, logging, and optional geo-block policies
  • Not used for payment or identity — geo-IP informs risk scoring, never blocks legitimate traffic by default
NO STORED PASSWORDS

Zero-Credential Identity

  • System-assigned managed identity on every BRICQS Container App — no client secret, no certificate rotation
  • Redis operates in zero-credential mode — key-based authentication permanently disabled at the resource level
  • Short-lived tokens (40-minute TTL) auto-refreshed by the identity credential provider — no manual rotation
  • Provider API keys (OpenAI, Anthropic, Google) stored in org-dedicated secrets vault — never in environment variables
  • BRICQS secretref — secrets injected as Container App secrets, never exposed in logs or API responses
  • No plaintext credentials in any configuration file, Dockerfile, or CI/CD variable store
DEDICATED PER ORG

Infrastructure Isolation

  • GPU Container Apps — each deployment provisioned as a separate Azure Container App with its own FQDN and identity
  • Postgres databases — dedicated server per organization, no connection sharing across org boundaries
  • Storage accounts — dedicated blob container per org with SAS tokens scoped to that org only
  • Secrets vaults — org-scoped key namespace; cross-org key access is impossible by design
  • Edge slots — routing rules and WAF policies are per-domain, not shared across customers

Report a vulnerability

If you find a security issue in BRICQS infrastructure or APIs, please disclose it responsibly. We aim to acknowledge reports within 24 hours and resolve critical findings within 72 hours.

security@bricqsai.com