Security Guide
Zero Trust for Web Applications: Where to Start
Move from broad network access to explicit, observable decisions for every user, device, workload, API, and sensitive resource.
Zero trust is not a product, a VPN replacement, or a rule that blocks everything outside the office. It is an operating model: do not grant implicit trust based on network location or asset ownership, and make access decisions around the identity, context, and resource involved.
For a web application, that means a request from an internal network is not automatically safe, an authenticated user is not automatically entitled to every object, and a service account is not a human identity. NIST SP 800-207 describes the shift clearly: protect resources rather than network segments, and authenticate and authorize before a session to a resource is established. CISA's maturity model adds a useful implementation lens across identity, devices, networks, applications, data, visibility, automation, and governance. Optimi's zero trust service page provides the platform context.
Define the boundary before choosing tools
The first step is to choose one application and write down what must be protected. Include the public site, login and account area, admin console, APIs, background jobs, storage, databases, third-party integrations, and deployment systems. Identify which resources are public, which require a user, which require a privileged operator, and which are machine-to-machine.
Then list the actors:
- Unauthenticated visitors and search crawlers.
- Customers, employees, contractors, and support staff.
- Administrators and break-glass operators.
- Mobile clients, partner integrations, webhooks, and scheduled jobs.
- Internal services, queues, databases, and deployment pipelines.
This inventory exposes a common failure: one coarse policy is being used for several very different trust decisions. Zero trust starts by separating them.
A practical implementation sequence
1. Establish strong identity
Use a central identity provider where practical, with phishing-resistant multi-factor authentication for administrators and high-risk operations. Define a stable identity for people, workloads, and external partners. Avoid sharing accounts, long-lived static credentials, and authorization based only on a mutable email address or IP range.
Authentication answers "who or what is this?" It does not answer "what may it do?" Keep authorization separate and make the required scope explicit in the application or policy layer.
For sessions, set appropriate expiry and revocation behavior, protect cookies, rotate refresh tokens where appropriate, and require reauthentication for sensitive changes. For APIs, prefer short-lived credentials, scoped tokens, signed requests, or mutual TLS when the integration requires strong client authentication. Document how a credential is issued, stored, rotated, and revoked before onboarding the client.
2. Model resources and actions
Write policy in terms of resources and actions: a customer may view their own invoices, a support agent may view assigned accounts, and a deployment service may publish an approved artifact but not read customer data. Include object-level authorization. A valid token for /orders/123 must not imply access to /orders/124.
Treat administrative actions as separate from ordinary reads. Require stronger context, approval, or step-up authentication for exporting data, changing payment details, changing access policy, or deploying code. Default-deny is useful when the resource model is complete; it is dangerous when teams use it as a substitute for understanding what the application actually does.
3. Put enforcement close to the resource
An edge gateway can help with TLS, identity integration, coarse route policy, rate limits, and obvious abuse before traffic reaches the origin. The application still needs fine-grained authorization because the edge often cannot understand ownership, workflow state, or business rules.
For APIs, combine authentication with schema validation, resource authorization, quotas, and abuse detection. Optimi's API protection page describes the edge portion of that control set. A WAF is useful for known attack patterns and virtual patching, but it is not an identity system and cannot decide whether a user is allowed to edit a particular object.
Zero trust is per request, not per login
A successful login creates context, not a permanent pass. Re-evaluate authorization for sensitive actions using the user, device or workload identity, resource, action, and relevant risk signals. Keep the decision observable so an operator can explain why access was allowed or denied.
4. Secure service-to-service paths
Map calls between frontend, API, worker, queue, storage, and third-party services. Give each workload its own identity and minimum permissions. Encrypt connections in transit, validate the peer where possible, and prevent a compromised service from reaching unrelated resources simply because it sits on the same private network.
Do not mistake private addressing for authorization. Network segmentation and security groups are useful containment layers, but they should narrow the blast radius rather than act as the only access decision. The TLS and HTTPS guide explains why encryption must also cover the origin and service-to-service legs.
5. Make policy and telemetry operational
Centralize policy ownership, but keep application teams responsible for resource definitions. Log authentication events, authorization decisions, policy changes, token issuance and revocation, administrative actions, and unusual access patterns. Include a request or trace identifier, subject, resource, decision, reason, and policy version without logging secrets or unnecessary personal data.
Alert on high-value events: repeated denials followed by a success, impossible changes in access context, bulk object reads, privilege changes, disabled MFA, and calls from an unexpected workload. Retain enough evidence to investigate, and define who can change policy during an incident.
6. Roll out by risk and observe first
Choose a narrow pilot such as an admin route, partner API, or sensitive export. Document the expected callers and actions. Run new rules in audit or report-only mode where the control supports it, compare decisions with application behavior, and fix identity and resource gaps before enforcement.
Roll out in stages with a tested break-glass path. Measure authorization failures, support tickets, latency, token errors, and successful completion of important user journeys. A policy that is theoretically strict but causes teams to create shared bypass accounts is not a mature control.
Provider-neutral edge notes
Cloudflare, Fastly, and other edge platforms can provide useful enforcement points for TLS, gateway authentication, WAF rules, rate limiting, and traffic visibility. The specific feature names and trust boundaries differ by provider. Treat the edge as one policy enforcement point, not as the whole architecture. Confirm what the provider sees, what it can verify, how keys are managed, and whether the origin independently authenticates the request.
Validation checklist
Test both expected and forbidden behavior:
- A user can access their own objects but receives a consistent denial for another user's object.
- A revoked credential fails promptly at every relevant enforcement point.
- A service account can perform its documented job and cannot browse unrelated data.
- An administrator must use stronger authentication for high-impact actions.
- Direct origin access is blocked or requires an independently verifiable identity.
- Policy changes are reviewed, versioned, logged, and reversible.
- Denials contain enough context for diagnosis without exposing secrets.
- Incident responders can use the break-glass path and see its use immediately.
Use automated authorization tests in CI, integration tests for each role and resource, and periodic access reviews based on real usage.
Mistakes to avoid
- Calling a network allowlist zero trust.
- Treating MFA as a replacement for object-level authorization.
- Giving every microservice a broad service account for convenience.
- Enforcing a new policy without observing legitimate machine clients first.
- Creating permanent bypasses after a false positive.
- Logging tokens, passwords, full payment data, or more personal data than needed.
- Forgetting operators, CI/CD systems, webhooks, and support tools in the identity inventory.
- Assuming an edge WAF can understand application business logic.
Start with one valuable resource, make the decision explicit, and make its evidence inspectable. Expand only when the identity and resource model is understood. For a review of the security boundary around a web estate, contact Optimi.
There are only two hard things in Computer Science: cache invalidation and naming things.
Find your first zero-trust boundary
Talk to our team about identity, edge enforcement, API protection, and an incremental application security plan.
Start a conversation