WAF & rate limiting
A Coraza web application firewall plus token-bucket rate limiting in front of every site. Read more →
Security on managed.dev is a concrete pipeline, not a checkbox. Every request to every site — production, staging, and preview alike — passes through the same layered controls, and every site gets all of them on every plan. This page is the map: what each layer does and where to configure it.
The controls run in order, from the edge inward:
A request to your site is filtered at the edge first, then again at the site runtime, before any of your code runs. Everything a control blocks is attributed and surfaced in Security → Blocks.
WAF & rate limiting
A Coraza web application firewall plus token-bucket rate limiting in front of every site. Read more →
Patchstack protection
Known plugin and theme CVEs are virtually patched at the edge before they can be exploited. Read more →
Malware scanning
ClamAV scans on a schedule and on demand, with detect → quarantine → restore. Read more →
Headers & allowlists
Managed CSP/HSTS, password protection, firewall IP allowlists, and login lockout. Read more →
Every site and every environment gets HTTPS automatically. Certificates are issued
and renewed for you — per-node wildcard certificates via DNS-01 — so preview URLs
and custom domains are encrypted without a manual step. See TLS for
how certificates are issued and the cert.renewed lifecycle.
Every meaningful action — a deploy, a role change, a key mint, a restore — is recorded in your team’s audit log. Combined with the Blocks view and observability, you can answer both “what did my team do?” and “what did the platform stop?”.