GoRefer Trust Center
Network Security
Updated April 2026
GoRefer defends its network perimeter through multiple layers — from edge-level DDoS mitigation and WAF rules, to API rate limiting, security headers, and VPC network segmentation. Attacks are blocked before they reach application code.
This page documents the specific network-level controls in place. Where applicable, we publish exact header values and rate limit thresholds to help security reviewers verify our configuration independently.
Edge Security: DDoS Mitigation & WAF
Updated April 2026
All traffic to GoRefer passes through an edge security layer before reaching application servers. This layer provides volumetric DDoS mitigation, web application firewall (WAF) inspection, and bot detection — transparently and without impacting legitimate users.
DDoS Protection
Always-on Layer 3/4 mitigation
Volumetric and protocol-layer attacks are absorbed at the network edge — application servers never see the flood traffic
Layer 7 (application) DDoS detection
Behavioral analysis identifies unusual request patterns (e.g., login flood, API amplification) and challenges or blocks at the edge
Global anycast network
Traffic routed to the nearest edge node — ensures low latency and attack traffic is distributed across a globally-redundant network
Dedicated capacity for peak periods
GoRefer maintains WAF rules optimized for tax-season traffic spikes
Web Application Firewall (WAF)
OWASP Top 10 rule set active
Blocks SQL injection, XSS, command injection, path traversal, and other OWASP-classified attack vectors at the edge
Custom rule sets for GoRefer endpoints
Tuned WAF rules for tax-specific payloads — blocks known attack patterns targeting tax software APIs
Managed threat intelligence
WAF rules updated automatically as new CVEs and attack signatures emerge
Bot management
Automated bot traffic (credential stuffing, scraping, scanning) identified and challenged before reaching the application
Network Architecture & Segmentation
Updated April 2026
VPC & Network Isolation
Application servers run in private subnets — no direct internet access
Database servers are in a separate private subnet from application servers
Security groups enforce minimum-required port access only
No database ports are exposed to the internet at any time
Inter-service communication uses internal DNS and private IPs only
Traffic Inspection & Monitoring
All inbound and outbound traffic is logged at the VPC flow level
Anomalous outbound traffic patterns trigger automated alerts
DNS query logging enabled — detects C2 communication patterns
Network intrusion detection runs continuously against flow logs
Load balancer access logs retained for 365 days
API Rate Limiting
Updated April 2026
GoRefer enforces per-endpoint rate limits to protect against brute force attacks, data exfiltration attempts, and API abuse. Rate limits are enforced at both the edge layer and the application layer — providing double protection.
| Endpoint / Scope | Rate Limit | Action on Breach | Why |
|---|---|---|---|
POST /auth/login | 5 requests / 15 min per IP | Exponential backoff, then temporary block | Brute force protection |
POST /auth/register | 10 requests / hour per IP | Block with CAPTCHA challenge | Account farming prevention |
POST /auth/forgot-password | 3 requests / hour per email | Silent drop + alert | Email bombing protection |
POST /auth/mfa/verify | 5 attempts per session | Session invalidated; re-auth required | MFA brute force protection |
GET/POST /api/* (general) | 300 requests / min per authenticated user | 429 Too Many Requests | API abuse prevention |
POST /api/gio/* (AI endpoints) | Governed by AI credit balance | 402 / credit exhaustion error | Compute cost + auditability |
POST /api/*/export | 10 export requests / hour per firm | 429 + notification to admin | Data exfiltration detection |
Enterprise IP allowlisting available
Enterprise customers can register static IP ranges for API access. Allowlisted IPs receive elevated rate limits for integration and automation use cases. Contact your Customer Success manager or email security@gorefer.io to configure.
HTTP Security Headers
Updated April 2026
GoRefer serves a comprehensive set of security headers on all responses. These headers instruct browsers to enforce security constraints that protect users from XSS, clickjacking, content-type confusion, and protocol downgrade attacks.
| Header | Value / Setting | Protection Provided | Status |
|---|---|---|---|
Strict-Transport-Security | max-age=63072000; includeSubDomains; preload | Forces all connections to use HTTPS for 2 years. Preloaded in major browser lists. | Enforced |
Content-Security-Policy | Configured — restricts script, style, and media sources | Prevents cross-site scripting (XSS) by allowlisting trusted content sources. | Enforced |
X-Frame-Options | DENY | Prevents GoRefer pages from being embedded in iframes on third-party sites (clickjacking protection). | Enforced |
X-Content-Type-Options | nosniff | Prevents browsers from MIME-sniffing responses — stops content-type confusion attacks. | Enforced |
Referrer-Policy | strict-origin-when-cross-origin | Prevents the full URL (including query parameters) from being leaked to external sites via the Referer header. | Enforced |
Permissions-Policy | camera=(), microphone=(), geolocation=() | Disables browser APIs that GoRefer does not use — prevents browser feature hijacking. | Enforced |
Cross-Origin-Opener-Policy | same-origin | Isolates the GoRefer browsing context — prevents cross-origin window attacks. | Enforced |
DNS Security
Updated April 2026
Email Authentication
SPF record configured — authorizes GoRefer mail servers only
DKIM signing on all outbound email
DMARC policy: reject unauthorized senders
BIMI record for brand validation (where supported)
Certificate Management
TLS certificates managed via a trusted CA
Auto-renewal in place — no manual intervention required
Certificate Transparency (CT) log monitoring enabled
Mis-issuance alerts configured via CT monitoring
Domain Security
DNSSEC enabled on the gorefer.io domain
Domain registrar account protected with MFA
Subdomain takeover monitoring active
CAA DNS record restricts which CAs can issue for gorefer.io