shredbx logo
shredbx shredbx shredbx shredbx Personal
  • Home
  • Lab
  • Portfolio
  • Experience
  • Services
  • Profile
  • Contact
AClaude
  • Home
  • Lab
  • Portfolio
  • Experience
  • Services
  • Profile
  • Contact
Andrei Solovev
Knowledge
Search knowledge... ⌘K
Knowledge · Guidelines · architecture

Layered Service Exposure

Define the layered security architecture for web applications — each layer hides the one below it

Andrei Solovev

Metadata

architecture recommended

Procedures

Showing 3 of 4

  1. 1 Database is NEVER exposed publicly
    PostgreSQL/Redis/Supabase listen on internal Docker network only.
    No public port binding. No direct client access. Database is accessed
    exclusively by the API server on the same Docker network.
    # docker-compose.yml — NO ports mapping to host
    postgres:
      image: postgis/postgis:17
      networks:
        - internal
      # ports: OMITTED — only accessible within Docker network
  2. 2 API server queries database, never exposes connection details
    The Go API (Chi router) connects to database via internal Docker hostname.
    Connection strings, credentials, and schema details are never returned
    in API responses. All data flows through typed Go structs that project
    only the fields clients need.
    // Go API handler — returns domain data, not database internals
    func (h *PropertyHandler) List(w http.ResponseWriter, r *http.Request) {
        properties, err := h.store.ListPublished(r.Context())
        // Returns []PropertyResponse — no schema/connection info leaks
        writeJSON(w, http.StatusOK, properties)
    }
  3. 3 SvelteKit Web fetches from API server-side only
    All API calls happen in +page.server.ts or +server.ts (server-side).
    The browser NEVER sees the API URL or makes direct API calls.
    SvelteKit acts as a BFF (Backend-for-Frontend), transforming API
    responses into page data.
    // +page.server.ts — server-side only, never reaches browser
    export const load = async ({ fetch }) => {
        const res = await fetch(`${API_BASE_URL}/api/properties`);
        const data = await res.json();
        return { properties: data.properties };
    };
    
    // +page.svelte — receives pre-fetched data, no API knowledge
    <script>
        let { data } = $props();
        // data.properties is already here — no fetch needed
    </script>

Tools

  • SvelteKit— +page.server.ts for all data fetching, +server.ts for API proxying
  • Chi Router— Go HTTP router for API endpoints with middleware chain
  • Cloudflare— DNS proxy mode (orange cloud), Workers for edge logic
  • Docker— Internal network isolation between services

References

  • rule OWASP ASVS— Application Security Verification Standard — defense in depth, layer separation
  • rule Backend-for-Frontend (BFF)— SvelteKit server-side load acts as BFF — aggregates API calls, returns page-specific data
shredbx logo shredbx shredbx shredbx shredbx Andrei Solovev

Solution Architect & Lead Software Engineer

ExperiencePortfolioResearch & ExperimentsEducationCertificationSkills
GitHub ↗LinkedIn ↗Email ↗
AVAILABLE FOR NEW PROJECTS
// MY LATEST BEATS
Hobby & Interests

Lab

  • The Lab
  • Framework
  • Components
  • Packages
  • Games
  • Process (SDLC)
  • Knowledge
  • Blog

Andrei

  • Portfolio
  • Experience
  • Services
  • Profile
  • Contact
  • Lifestyle

Team

  • Team
  • Andrei
  • Claude

Legal

  • Privacy
  • Terms
  • Cookies
© 2026 shredbx.com. All rights reserved. — Andrei Solovev |