A reverse proxy, header injection and a WAF can give a legacy web app an authentication boundary it was never built for, without touching its code.
Draft outline · Engineering craft lensLegacy web apps that cannot do modern auth are exactly what gets swept up in credential stuffing and the year's run of authentication-bypass CVEs. You often cannot change the app, so you change what sits in front of it. This is the infrastructure twin of the App Mod dive on adding MFA to an app with no MFA support.
Vendor-neutral research on auth-boundary and proxy patterns, and the failure modes to design around.
Independent reporting on how unprotected legacy apps become the initial-access foothold.
A pure engineering-craft piece: no CVE headline, just the pattern we deploy over and over. It shows a technical reader we solve the boring, real problem (the app you cannot change) rather than selling a rebuild they cannot afford. Cross-links to App Mod so the two lenses reinforce each other.