Skip to content
HeliosDB HeliosDB Full

WASM Edge Computing: Security

WASM Edge Computing: Security

Part of: WASM Edge Computing User Guide

TLS 1.3 Everywhere

All edge traffic uses TLS 1.3:

use heliosdb_wasm::edge::security::TlsConfig;


let tls_config = TlsConfig {
    min_version: TlsVersion::V1_3,
    cipher_suites: vec![
        CipherSuite::TLS_AES_256_GCM_SHA384,
        CipherSuite::TLS_CHACHA20_POLY1305_SHA256,
    ],
    enable_session_resumption: true,
    enable_early_data: false, // Disable 0-RTT for security
};


runtime.configure_tls(tls_config).await?;

mTLS for Edge-to-Edge

Mutual TLS for node communication:

use heliosdb_wasm::edge::security::MtlsConfig;


let mtls_config = MtlsConfig {
    ca_cert: load_ca_cert()?,
    node_cert: load_node_cert()?,
    node_key: load_node_key()?,
    verify_client: true,
    require_and_verify_client_cert: true,
};


sync.configure_mtls(mtls_config).await?;

JWT Authentication

use heliosdb_wasm::edge::security::{JwtConfig, JwtValidator};


let jwt_config = JwtConfig {
    issuer: "https://auth.example.com".to_string(),
    audience: "heliosdb-edge".to_string(),
    algorithm: Algorithm::RS256,
    public_key: load_public_key()?,
};


let validator = JwtValidator::new(jwt_config)?;


// Validate request
#[heliosdb_edge_function]
pub async fn protected_handler(ctx: &EdgeContext) -> Result<Value> {
    let token = ctx.request.header("Authorization")?
        .strip_prefix("Bearer ")?;


    let claims = validator.validate(token)?;


    // Proceed with authenticated user
    let user_id = claims.sub;
    handle_request(user_id).await
}

Rate Limiting

use heliosdb_wasm::edge::security::RateLimiter;


let rate_limiter = RateLimiter::new(RateLimitConfig {
    requests_per_minute: 600,
    burst_size: 100,
    enable_ip_based: true,
    enable_token_based: true,
});


#[heliosdb_edge_function]
pub async fn handler(ctx: &EdgeContext) -> Result<Value> {
    let client_ip = ctx.request.client_ip()?;


    if !rate_limiter.allow(&client_ip).await? {
        return Err(Error::RateLimitExceeded);
    }


    // Proceed with request
    handle_request().await
}

DDoS Protection

use heliosdb_wasm::edge::security::DdosProtection;


let ddos = DdosProtection::new(DdosConfig {
    enable_challenge: true,
    challenge_difficulty: ChallengeDifficulty::Medium,
    enable_geo_blocking: true,
    blocked_countries: vec!["XX".to_string()],
    enable_fingerprinting: true,
});


// Automatic challenge for suspicious requests
let result = ddos.check_request(&request).await?;


match result {
    DdosCheckResult::Allow => {
        // Proceed
    }
    DdosCheckResult::Challenge(challenge) => {
        // Send challenge to client
        return Ok(challenge.into_response());
    }
    DdosCheckResult::Block(reason) => {
        // Block request
        return Err(Error::Blocked(reason));
    }
}

Geo-Blocking

use heliosdb_wasm::edge::cdn::GeoFenceRule;


let rule = GeoFenceRule {
    rule_id: "gdpr_compliance".to_string(),
    allowed_regions: vec![
        Region::EuWest1,
        Region::EuWest2,
        Region::EuCentral1,
        Region::EuNorth1,
    ],
    denied_regions: vec![],
    allowed_countries: vec!["DE".to_string(), "FR".to_string(), "GB".to_string()],
    denied_countries: vec![],
};


cdn_manager.add_geo_fence(rule).await?;


// Check if request is allowed
if !cdn_manager.is_region_allowed(&request_region).await {
    return Err(Error::GeographicallyBlocked);
}