Knowledge
Search knowledge... ⌘K
Knowledge · Guidelines · architecture
Layered Service Exposure
Define the layered security architecture for web applications — each layer hides the one below it
Metadata
architecture recommended
Procedures
Showing 3 of 4
- 1 Database is NEVER exposed publicly
PostgreSQL/Redis/Supabase listen on internal Docker network only. No public port binding. No direct client access. Database is accessed exclusively by the API server on the same Docker network.
# docker-compose.yml — NO ports mapping to host postgres: image: postgis/postgis:17 networks: - internal # ports: OMITTED — only accessible within Docker network - 2 API server queries database, never exposes connection details
The Go API (Chi router) connects to database via internal Docker hostname. Connection strings, credentials, and schema details are never returned in API responses. All data flows through typed Go structs that project only the fields clients need.
// Go API handler — returns domain data, not database internals func (h *PropertyHandler) List(w http.ResponseWriter, r *http.Request) { properties, err := h.store.ListPublished(r.Context()) // Returns []PropertyResponse — no schema/connection info leaks writeJSON(w, http.StatusOK, properties) } - 3 SvelteKit Web fetches from API server-side only
All API calls happen in +page.server.ts or +server.ts (server-side). The browser NEVER sees the API URL or makes direct API calls. SvelteKit acts as a BFF (Backend-for-Frontend), transforming API responses into page data.
// +page.server.ts — server-side only, never reaches browser export const load = async ({ fetch }) => { const res = await fetch(`${API_BASE_URL}/api/properties`); const data = await res.json(); return { properties: data.properties }; }; // +page.svelte — receives pre-fetched data, no API knowledge <script> let { data } = $props(); // data.properties is already here — no fetch needed </script>
Tools
- SvelteKit— +page.server.ts for all data fetching, +server.ts for API proxying
- Chi Router— Go HTTP router for API endpoints with middleware chain
- Cloudflare— DNS proxy mode (orange cloud), Workers for edge logic
- Docker— Internal network isolation between services
References
- rule OWASP ASVS— Application Security Verification Standard — defense in depth, layer separation
- rule Backend-for-Frontend (BFF)— SvelteKit server-side load acts as BFF — aggregates API calls, returns page-specific data