Cloudflare

This approach aligns directly with the platform’s architectural principle of separating exposure from custody: Cloudflare handles exposure, while Kubernetes clusters maintain custody and integrity of evidence.

Web Application Firewall (WAF)

The Cloudflare WAF serves as the first line of defense for all HTTP/S interfaces exposed by the Evidence Platform, including:

• Evidence Platform (Drupal) interfaces

• API gateways for evidence access

• Institutional access endpoints (prosecution, defense, courts)

• Peripheral project APIs

Functional Role

• Threat Mitigation: Blocks OWASP Top 10 threats (SQL injection, XSS, RCE, etc.)

• Bot Management: Prevents scraping, credential stuffing, and automated abuse

• Custom Rule Enforcement: Enforces jurisdiction-specific access policies

• Rate Limiting: Protects APIs from abuse and denial-of-service patterns

Strategic Importance

Because the Evidence Platform exposes read-only evidence access to defense and oversight, the WAF ensures that openness does not translate into vulnerability. It enforces strict input validation and request filtering before traffic reaches any internal service.

Content Delivery Network (CDN)

The Cloudflare CDN distributes platform content across a global edge network, enabling:

• Rapid access to evidence metadata and documents

• Low-latency delivery for defense and courts across jurisdictions

• Reduced load on origin Kubernetes clusters

Functional Role

• Edge Caching: Frequently accessed evidence metadata and public disclosures cached globally

• Bandwidth Optimization: Reduces origin traffic and infrastructure costs

• DDoS Absorption: Edge network absorbs volumetric attacks before reaching origin

Strategic Importance

The CDN supports scalable public transparency and multi-jurisdiction access without exposing the Origin of Truth cluster directly. Evidence files remain controlled, while derived or authorized content can be distributed efficiently.

Zero Trust Access (ZTNA)

Cloudflare Zero Trust replaces traditional VPN-based access with identity-aware, policy-driven access control.

Functional Role

• Identity-Based Access: Users authenticated via SSO (e.g., SAML, OIDC)

• Device Posture Checks: Ensures compliant devices before granting access

• Granular Authorization: Role-based access for prosecutors, defense, courts, oversight

• Session Isolation: Prevents lateral movement within systems

Application in Evidence Platform

• Defense counsel access to evidence APIs

• Judicial observability dashboards

• Prosecutorial ingestion systems

• Oversight telemetry portals

Strategic Importance

Zero Trust enforces the platform’s requirement that every access request is verified, logged, and scoped, aligning with chain-of-custody and auditability requirements. It eliminates implicit trust between network zones.

Cloudflare Tunnels (Secure Origin Access)

Cloudflare Tunnels (formerly Argo Tunnel) allow services inside Kubernetes clusters to be exposed without opening inbound ports.

Functional Role

• Outbound-Only Connectivity: Origin clusters initiate connections to Cloudflare

• No Public IP Exposure: Kubernetes services remain private

• Encrypted Transport: Mutual TLS between tunnel and Cloudflare edge

• Service Isolation: Each service can be independently exposed

Application in Evidence Platform

• Secure exposure of Evidence Platform APIs

• Controlled access to metadata services

• Isolation of Origin of Truth cluster from direct internet access

Strategic Importance

This is one of the most critical controls in the architecture. It ensures:

• No direct attack surface on Kubernetes clusters

• Strict mediation of all inbound traffic through Cloudflare

• Alignment with air-gap-like security principles without sacrificing accessibility

Edge Workers (Cloudflare Workers)

Cloudflare Workers provide serverless compute at the edge, enabling logic to execute before requests reach origin systems.

Functional Role

• Request Transformation: Modify or validate API requests

• Authentication Enforcement: Pre-validate tokens and headers

• Data Filtering: Redact or sanitize responses

• Routing Logic: Direct requests to appropriate backend clusters

• Audit Injection: Add logging and trace identifiers

Application in Evidence Platform

• Enforcing evidence access policies at the edge

• Redacting sensitive fields in metadata responses

• Routing requests between jurisdictions or clusters

• Implementing policy-as-code enforcement layers

Strategic Importance

Workers enable a programmable security and governance layer outside the Origin of Truth, reinforcing the principle that policy enforcement occurs before data access.

Cloudflare for SaaS Providers

Cloudflare for SaaS enables the Evidence Platform to operate as a multi-tenant, domain-driven system.

Functional Role

• Custom Hostnames: Each jurisdiction or agency can use its own domain

• SSL Automation: Secure certificates provisioned per tenant

• Tenant Isolation: Logical separation of traffic and policies

• Edge Security Enforcement: Uniform WAF and Zero Trust policies across tenants

Application in Evidence Platform

• Jurisdiction-specific portals (e.g., county, state, federal domains)

• Defense-specific access portals

• Oversight dashboards per regulatory body

• Public transparency sites per region

Strategic Importance

This capability aligns with the federated model by allowing:

• Independent domain ownership per institution

• Centralized enforcement of security and compliance policies

• Scalable onboarding of jurisdictions without infrastructure duplication

Architectural Alignment with Evidence Platform

Cloudflare operates as the outer security and delivery plane, complementing the internal Kubernetes-based system:

Layer

Responsibility

Cloudflare Edge

Security, access control, routing, caching

Evidence Platform (Drupal)

Metadata, workflows, user interface

Kubernetes Clusters

Data processing, AI agents, institutional compute

Origin of Truth

Immutable evidence storage and chain-of-custody

This layered model ensures:

• No direct exposure of evidence storage systems

• All access is authenticated, inspected, and logged

• Global scalability without compromising sovereignty

• Separation of control plane and data plane

This is consistent with the broader architectural requirement that external systems interact only through controlled interfaces and derived data pathways.

Security and Compliance Considerations

Cloudflare capabilities map directly to established security frameworks:

• NIST SP 800-53

  • AC (Access Control): Zero Trust policies

  • SI (System Integrity): WAF protections

  • SC (System Communications): TLS and secure tunnels

  • AU (Audit): Edge logging and request tracing

• CJIS / Criminal Justice Systems

  • Encrypted transmission

  • Strict identity verification

  • Auditability of access events

• FedRAMP / Government Cloud

  • Boundary protection via WAF

  • Continuous monitoring via edge telemetry

  • Least-privilege access enforcement

Summary

Cloudflare functions as the security, access, and delivery perimeter of the Evidence Platform. Its combined capabilities—WAF, CDN, Zero Trust, Tunnels, Edge Workers, and SaaS enablement—create a hardened, scalable, and policy-driven edge layer that:

• protects all exposed services from attack

• enforces identity-based access across all participants

• eliminates direct exposure of Kubernetes clusters

• enables global, low-latency access to authorized data

• supports a federated, multi-tenant architecture

In effect, Cloudflare transforms the platform’s external interface into a secure, programmable edge boundary, ensuring that openness, transparency, and accessibility never compromise the integrity of the underlying evidentiary system.

References and Resources

• Cloudflare — https://www.cloudflare.com

• Cloudflare Web Application Firewall — https://developers.cloudflare.com/waf/

• Cloudflare Zero Trust — https://developers.cloudflare.com/cloudflare-one/

• Cloudflare Workers — https://developers.cloudflare.com/workers/

• Cloudflare Tunnel — https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/

• Cloudflare for SaaS — https://developers.cloudflare.com/cloudflare-for-platforms/