8 days ago
Our Cybersecurity team, Coalition, has indicated to us that there is a critical security finding for our company.
In this case, it's the subdomains that we have pointed at projects hosted on Railway.
So I haven't added those libraries to my codebase. I haven't configured any AI bots on this to date. Coalition tells me that we might be seeing these because someone ELSE has an exposed panel and it has the same destination IP, so we're getting tagged. So:
They've asked me to reach out to you to determine if the environments are fully segmented from whatever is hosting the AI panel.
1 Replies
8 days ago
Your Coalition finding is almost certainly a false positive caused by our shared reverse proxy layer. Inbound HTTP traffic to all services (including custom domains) routes through shared proxy IPs, so an IP-based security scan will see other customers' services at the same address. However, your service is fully isolated: traffic is routed by hostname, each service runs in its own container, and our private networking uses encrypted Wireguard tunnels scoped to your project and environment, meaning services in different projects cannot communicate with each other. No other customer can access your service's data, configuration, or internal network. You can share with Coalition that this is a shared-proxy architecture (similar to other PaaS providers like Cloudflare or any CDN) where IP co-tenancy does not imply application-level access between tenants.
Status changed to Awaiting User Response Railway • 8 days ago
Status changed to Solved marchurst • 8 days ago