Edge
Back to Academy
Best Practices 12 min read

Security Hardening

Step-by-step practices to harden your Edge infrastructure: authentication, firewalls, API security, and agent access control.

Why security hardening matters

A single misconfigured VM or leaked API key can expose your infrastructure. Following these steps reduces attack surface and limits damage if credentials are compromised. Each section includes practical steps you can apply today.

1. SSH key authentication

Password-based SSH is vulnerable to brute force. Use SSH keys and disable password authentication.

Step-by-step:

  1. Generate an SSH key pair if you don't have one: ssh-keygen -t ed25519 -C "your@email.com"
  2. When creating a VM in the control panel, paste your public key or select one from your account. Edge injects it into ~/.ssh/authorized_keys.
  3. After first login, disable password auth: edit /etc/ssh/sshd_config, set PasswordAuthentication no, then restart sshd.

2. Firewall rules (security groups)

Edge uses security groups to control inbound and outbound traffic to VMs. Restrict access to only what your application needs — e.g. ports 80/443 for web, 22 for SSH from your IP only.

Step-by-step:

  1. In the control panel, go to Compute → Security Groups.
  2. Create a group with a sensible name (e.g. "web-server").
  3. Add inbound rules: allow TCP 22 from your IP (or a VPN/jump-host IP), TCP 80/443 from 0.0.0.0/0 if the VM serves web traffic.
  4. Attach the security group to your VM(s).

Avoid opening 0.0.0.0/0 for SSH unless necessary. Use edge compute security-groups in the CLI to manage rules.

3. Two-factor authentication for your Edge account

Enable 2FA on your Edge account. If your password is ever leaked, an attacker still needs your authenticator device.

Step-by-step:

  1. Go to Settings → Security in the control panel.
  2. Click Enable 2FA.
  3. Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password, etc.).
  4. Enter the verification code to confirm. Store recovery codes in a secure place.

4. API key management

API keys grant full account access. Rotate them periodically and scope them when possible.

Best practices:

  • Rotation — Create a new key every few months or when a team member leaves. Revoke old keys in Settings → API Keys.
  • Scoping — Use read-only keys for monitoring/backup workflows where write access is not needed.
  • Storage — Never commit keys to version control. Use environment variables or a secrets manager.

Prefer Agent Access Codes for AI agents and automation — they have scoped permissions and budget limits, reducing blast radius if compromised.

5. SSL/TLS

When you use Edge CDN with a custom domain, SSL/TLS is handled automatically. Edge provisions and renews certificates for you. Ensure your domain is added to the CDN deployment and DNS points to Edge — HTTPS will be enabled by default.

For direct VM access (e.g. SSH), connections use your client's SSH key exchange. For web apps on VMs, put the CDN in front so traffic is encrypted end-to-end via Edge's edge SSL.

6. DNS security

DNSSEC adds cryptographic signing to DNS records, preventing spoofing and redirect attacks. DNSSEC support on Edge DNS is coming soon — we'll announce it when available.

In the meantime, use strong, unique passwords for your domain registrar and Edge account, and enable 2FA on both where possible.

7. Keep VMs updated

Unpatched systems are a common attack vector. Schedule regular updates for your VM OS and application dependencies.

Step-by-step (Ubuntu/Debian):

  1. sudo apt update && sudo apt upgrade -y
  2. Reboot if the kernel was updated.

Consider automating with cron or a configuration management tool. Edge provides base images that are regularly updated — recreate VMs periodically to get the latest base.

8. Agent access codes with limited permissions

If you use AI agents or coding assistants to manage Edge infrastructure, do not give them your account API key. Use Agent Access Codes instead — scoped credentials with time limits and budget caps.

Step-by-step:

  1. Go to Account → Agent Access in the control panel.
  2. Create a new code. Restrict products (e.g. only CDN and Compute, not billing).
  3. Set a budget cap so the agent cannot exceed a spend limit.
  4. Set an expiry date. Rotate codes when projects end.

This limits damage if an agent’s context is leaked or misused. See Agent Access Codes for details.

Next steps

Cost Optimization Compute Documentation