Harden the edge

Velocity’s Rust code eliminates many memory bugs, but the runtime still relies on kernels, proxies, and userland scripts. Stack these controls to make exploitation expensive.

Host baseline

• Apply the hardened systemd unit: ProtectKernelTunables=yes, ProtectHome=true, RestrictAddressFamilies=AF_INET,AF_INET6, NoNewPrivileges=yes.
• Drop capabilities down to CAP_NET_BIND_SERVICE (or use AmbientCapabilities when unavoidable).
• Mount /etc/velocity and /var/lib/velocity with nodev, noexec, nosuid.
• Patch kernels promptly—Velocity leans on UDP features first introduced in Linux 5.15.

Runtime safeguards

• Enable the built-in rate limiter to blunt UDP amplification or reflection attempts.
• Enforce strict profile policies so downgraded clients stand out in logs.
• Monitor velocity_pq_validation_failures_total and velocity_0rtt_replay_rejections_total—both are early warning signals.
• Rotate admin credentials and ticket secrets automatically. Treat manual rotation as a last resort.

Edge runtime hygiene

• Sanitise templated responses and lean on provided helpers; never execute untrusted input.
• Keep custom middleware minimal, code-reviewed, and linted (npm run lint).
• Source secrets from your vault via environment variables, not checked-in files.

Detect and drill

• Stream logs to a SIEM capable of correlating Velocity events with upstream proxies and identity systems.
• Alert on downgrade spikes, handshake latency jumps, or 0‑RTT rejection surges.
• Run quarterly incident simulations using the scenarios in the Security overview and feed improvements back into this checklist.