TLS and ingress design

Ingress design

Proxy policy should enforce TLS, connection limits, and request size boundaries while preserving SCIM headers required for tracing and security analytics.

Hardening settings

• HTTP to HTTPS redirect at edge with strict transport policy.
• Buffer and timeout values tuned for large directory payloads.
• Rate limits by source identity and client role.

Deployment verification

Run a pre-production TLS and header-forwarding validation that includes SCIM filter-heavy payloads and large patch requests.

Hardening reference

client_max_body_size 4m;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
add_header X-Request-ID $request_id always;
ssl_protocols TLSv1.2 TLSv1.3;

Propagating request IDs at the edge is required for replay and incident correlation in client and connector logs.