Managed Network Edge · Deep dive 02

Putting modern auth in front of an app that has none

A reverse proxy, header injection and a WAF can give a legacy web app an authentication boundary it was never built for, without touching its code.

Draft outline · Engineering craft lens
The anchor

Legacy web apps that cannot do modern auth are exactly what gets swept up in credential stuffing and the year's run of authentication-bypass CVEs. You often cannot change the app, so you change what sits in front of it. This is the infrastructure twin of the App Mod dive on adding MFA to an app with no MFA support.

Sources we build on
Primary

Vendor-neutral research on auth-boundary and proxy patterns, and the failure modes to design around.

Journalism
BleepingComputer credential-abuse reporting

Independent reporting on how unprotected legacy apps become the initial-access foothold.

Article outline
  1. The problem app. A line-of-business web app with no SSO, no MFA, and no vendor roadmap.
  2. The proxy pattern. Terminating at a reverse proxy, authenticating there, injecting trusted headers to the app.
  3. Not breaking the app. Session handling, timeouts and the gotchas that make apps misbehave behind a proxy.
  4. Hardening the edge. WAF rules and egress control so the proxy is not the new weak point.
  5. When to proxy vs modernise. The decision that feeds an App Mod scope.
How it aligns to what we do

A pure engineering-craft piece: no CVE headline, just the pattern we deploy over and over. It shows a technical reader we solve the boring, real problem (the app you cannot change) rather than selling a rebuild they cannot afford. Cross-links to App Mod so the two lenses reinforce each other.

Points to hit
Control it ratifies
ISM / E8 ISM authentication and web-application controls; supports E8 MFA by giving a non-MFA app an enforceable second factor at the edge.