Architecture
Security Isolation with NATS JetStream Messaging
Deployment Modes
Choose the architecture that matches your security requirements
Mini
Single binary for development and small workloads
- All-in-one binary
- No external dependencies
- Lowest resource usage
- Perfect for testing
Small
Two-process architecture with request/response separation
- Frontend + Validator
- NATS messaging
- Process isolation
- Production ready
Full
Four-process architecture with maximum isolation
- 4 isolated processes
- 4 separate NATS instances
- Strong network isolation
- BSI compliance ready
Data Flow Diagram
Complete request/response cycle through all 4 isolated security stages
Validator
Validator
Data Flow (Full Mode)
Request Path
- Client sends HTTP request
- Frontend receives and forwards to NATS-1 (dirty-req)
- Request Validator validates against policy
- Clean request sent to NATS-2 (clean-req)
- Backend forwards to your web application
Response Path
- Your application sends response
- Backend receives and forwards to NATS-3 (dirty-resp)
- Response Validator sanitizes response
- Clean response sent to NATS-4 (clean-resp)
- Frontend returns sanitized response to client
Why 4 Separate NATS Instances?
Security Isolation
Each NATS instance is completely isolated. If an attacker compromises one component, they cannot access messages from other stages. Dirty (unvalidated) and clean (validated) data are never mixed.
Defense in Depth
Even if the Request Validator is bypassed, the Response Validator provides another layer of protection. Each stage operates independently with its own security boundary.
Audit Trail
All messages are logged to the audit system (syslog/OTLP). This provides a complete, immutable record of all HTTP traffic for compliance and forensics.
Performance
NATS JetStream provides high-throughput and low-latency messaging. The 4-stage architecture adds minimal overhead while providing maximum security.
Ready to Protect Your Web Applications?
Download the free version or contact us for enterprise solutions.