Status: IN
FTL2 deployments can implement a layered edge-to-application security perimeter. In observed patterns, Cloudflare DNS-only mode delegates TLS to Caddy (enabling Let's Encrypt ACME), Caddy terminates HTTPS and reverse-proxies to a localhost-only application, firewalld's drop zone silently discards uninvited traffic, SSH is restricted to source IP ranges, and SELinux enforces network connect policies. This pattern has been documented in catbeez deployments and the Cloudflare+Caddy TLS approach is used consistently across FTL2 deployments.