Deployment configuration¶
Configure shared deployment settings that control how your application runs, is verified, and is exposed across deployment models.
Source verification¶
To enable third-party verification and reproducibility of your deployment, you must specify the source repositories in your Procfile:
| Field | Description |
|---|---|
app_sources |
Comma-separated git URLs for your application source code |
These URLs are embedded in the attestation manifest and used to pull all required source code for reproducibility.
Without app_sources, third parties cannot independently reproduce and verify your deployment.
Network connectivity¶
Caution supports two modes for exposing your application to the network.
End-to-end encryption (recommended)¶
For full security, enable end-to-end encryption using STEVE (Secure Transport Encryption via Enclave):
Run the app on port 8083; that is the port STEVE uses to establish a proxy connection.
This requires:
- Procfile configuration: Set
e2e: trueand specify your application port - SDK integration: Integrate the STEVE SDK into your client application
With e2e enabled, data is encrypted on the client and only decrypted inside the enclave. The STEVE proxy runs on port 8080 inside the enclave and forwards decrypted traffic to your application.
See the Encryption concepts page for details on how STEVE works.
Direct port exposure¶
If you cannot use end-to-end encryption, you can expose ports directly:
When a single port is specified, it is automatically reverse-proxied through Caddy with TLS termination on port 443. For multiple ports, use http_port to specify which one Caddy should proxy. The rest are exposed as raw TCP (useful for P2P or binary protocols).
This establishes a connection from the enclave to the host without STEVE encryption. Traffic is still protected by TLS, but the encryption terminates outside the enclave rather than inside it.
Use this only when e2e encryption is not feasible for your use case.
Reproducibility requirements¶
For full verifiability benefits, your application must be reproducible. A reproducible build produces bit-for-bit identical outputs from the same inputs, allowing anyone to verify that your deployed binary matches your source code.
Without reproducibility, attestation can only prove that the deployment hasn't changed. It cannot prove that it matches specific source code.
Making your application reproducible¶
To build reproducible applications, use StageX, a Linux distribution designed for full-source bootstrapping and deterministic builds. While other Linux distributions can be used, StageX is recommended because it was designed as a security-first distribution.
See Verifiability for more on why reproducibility matters for confidential compute.
See also¶
-
Containerizing your app
Follow a practical guide to building reproducible containers with StageX.
-
Custom domains
Use your own domain name for deployments.
-
Procfile
Configure how your application builds, runs, and verifies.
-
Verifiability
Learn how Caution ensures code integrity from source to production.