Security by Design

Enterprise Security

Memory safe. Secure by default. Zero CVEs from memory bugs.
Built in Rust. Protected at compile time.

Zero Unsafe CodemTLS SupportRequest Smuggling Prevention

Memory Safety Guaranteed

Trident is built in Rust with zero unsafe code blocks. This eliminates entire classes of vulnerabilities that have plagued C-based proxies like Varnish, nginx, and HAProxy.

C-Based Proxies Risk

  • • Buffer overflows
  • • Use-after-free vulnerabilities
  • • Double-free bugs
  • • Null pointer dereferences
  • • Memory leaks
  • • Data races in concurrent code

Trident (Rust) Guarantees

  • • No buffer overflows (compile-time bounds checking)
  • • No use-after-free (ownership system)
  • • No double-free (single ownership)
  • • No null pointers (Option types)
  • • No memory leaks (RAII)
  • • No data races (borrow checker)
0 CVEs
From memory safety bugs. Ever.

Request Smuggling Prevention

CL+TE Detection & Rejection

Requests with both Content-Length and Transfer-Encoding headers are automatically rejected. This prevents HTTP request smuggling attacks that exploit header interpretation differences between proxies and backends.

# Malicious request (rejected by Trident)
POST /admin HTTP/1.1
Host: target.com
Content-Length: 13
Transfer-Encoding: chunked

0

GET /admin HTTP/1.1
Host: attacker.com

# Trident response: 400 Bad Request
# "Conflicting Content-Length and Transfer-Encoding headers"

CRLF Injection Blocking

Header values containing carriage return or line feed characters are rejected, preventing header injection attacks that could lead to cache poisoning or XSS.

# Malicious request (rejected by Trident)
GET /page HTTP/1.1
Host: target.com
X-Custom: value\r\nSet-Cookie: admin=true

# Trident response: 400 Bad Request
# "Invalid header value: contains CR or LF"

Invalid Content-Length Detection

Multiple Content-Length headers or non-numeric values are rejected. This prevents request splitting attacks.

# Malicious request (rejected by Trident)
POST /api HTTP/1.1
Host: target.com
Content-Length: 10
Content-Length: 50

# Trident response: 400 Bad Request
# "Multiple Content-Length headers detected"

Mutual TLS (mTLS)

Require client certificates for authentication. Perfect for internal service communication, API access control, and zero-trust architectures.

# trident.toml

[server.tls]
cert_file = "/etc/trident/server.crt"
key_file = "/etc/trident/server.key"

[server.tls.client_auth]
enabled = true
ca_file = "/etc/trident/ca.crt"      # CA that signed client certs
mode = "required"                     # or "optional"
verify_depth = 3                      # Certificate chain depth

# Client certificates are validated on every request
# Invalid/missing certificates = connection rejected
Zero Trust
Verify every connection
No Passwords
Certificate-based auth
Revocation
CRL/OCSP support

Secure by Default

Session Cookie Bypass

Requests with session cookies automatically bypass cache to prevent serving personalized content to wrong users.

# Automatic bypass for:
# - PHPSESSID
# - frontend (Magento)
# - laravel_session
# - Any custom session cookies

Authorization Bypass

Requests with Authorization headers bypass cache. API tokens and credentials are never cached or leaked.

# Automatic bypass for:
# - Authorization: Bearer xxx
# - Authorization: Basic xxx
# - X-API-Key headers
# - Custom auth headers (configurable)

Path Traversal Protection

URLs with path traversal sequences are normalized or rejected, preventing directory escape attacks.

# Protected against:
# /../../etc/passwd
# /images/../../../secrets
# URL-encoded variants (%2e%2e)

Admin API Protection

Admin API listens on separate port/interface. Never exposed to public traffic. Optional authentication tokens.

# Admin API isolated
[server]
listen = "0.0.0.0:80"         # Public
admin_listen = "127.0.0.1:8080" # Internal only

Enterprise Compliance

Security Features

  • Memory-safe implementation (Rust)
  • TLS 1.2/1.3 with configurable ciphers
  • mTLS client certificate authentication
  • Request smuggling prevention
  • CRLF injection blocking
  • Audit logging for admin operations
  • Separate admin API interface
  • Rate limiting support

Compliance Support

  • PCI-DSS compatible configuration
  • GDPR-ready (no personal data caching by default)
  • SOC 2 Type II aligned practices
  • HIPAA-compatible deployment options
  • ISO 27001 security controls
  • Comprehensive access logs
  • Encryption in transit (TLS)
  • No telemetry or phone-home

Security Comparison

FeatureVarnishnginxTrident
Memory Safe Language✗ C✗ C✓ Rust
Buffer Overflow Protection✗ Manual✗ Manual✓ Guaranteed
mTLS Support✗ Requires Hitch✓ Built-in✓ Built-in
Request Smuggling Prevention✗ Partial✗ Partial✓ Full
CRLF Injection Blocking✗ No✗ No✓ Yes
Session Cookie BypassVCL requiredConfig required✓ Default
Admin API Isolation✗ CLI only✗ No✓ Built-in

Security Without Compromise

All security features are included in every Trident plan.

Start Free TrialSecurity Assessment