# Network Security ## Network isolation Rockhopper's infrastructure follows strict network segmentation principles: * **Environment separation** — Production and staging environments are isolated in separate VPCs. No cross-environment access is permitted. * **Minimal exposure** — Each component has its own firewall rules, exposing only the ports and protocols required for its function. * **Private subnets** — Databases, background processors, and internal services are placed in private subnets with no direct internet access. Only the API server and web application are internet-facing. ## TLS enforcement All internet-facing connections require TLS 1.2 or higher: * Client-to-server traffic uses HTTPS exclusively * WebSocket connections use WSS (encrypted WebSocket) * Internal service-to-service communication follows AWS security group rules within the VPC * Unencrypted HTTP requests are automatically redirected to HTTPS ## Web Application Firewall A WAF is deployed across the entire cloud footprint, providing protection against: * **Injection attacks** — SQL injection, cross-site scripting (XSS), and other common web exploits * **Volumetric attacks** — DDoS mitigation and rate limiting * **Malicious patterns** — Automated scanning and known attack signatures --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.rockhopper.co/security-and-compliance/network-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.