Skip to content

Protected Access

LeafEnterprise's hosted internal surface uses Cloudflare Access at the perimeter and a trusted frontend-to-backend proxy secret for protected API calls.

Public And Protected Routes

/api/health can remain public for uptime checks. Internal API routes should require a trusted frontend proxy or service-token posture.

Browser Payload Rule

Never expose these values to browser responses:

  • Salesforce access tokens.
  • Salesforce VersionData or Attachment.Body URLs.
  • Microsoft Graph tokens.
  • Raw Graph download URLs.
  • Azure SQL, AWS SQL, ADLS, Service Bus, or Key Vault credentials.
  • Local OneDrive/share-drive paths.

Service Boundary

Frontend and workbench repos should call LeafEnterprise APIs for source evidence, run plans, packet posture, queue execution, and workbook readiness. They should not duplicate Salesforce SOQL, Azure SQL mirror joins, Graph retrieval, or savings/audit packet assembly.