Deployments¶
Deployment and configuration options that affect how your application runs and can be verified.
Deployment options¶
Caution supports multiple ways to deploy your application. Both options provide the same verification and encryption guarantees.
-
Deploy using Caution's managed infrastructure.
-
Deploy to your own infrastructure, with Caution managing the enclave lifecycle.
Choose fully managed to get started quickly, or managed on-premises if you need control over your own infrastructure.
Self-host Caution
Caution is fully open source. To self-host, see the source code on Codeberg.
Source verification¶
To enable third-party verification and reproducibility of your deployment, you must specify the source repositories in your Procfile:
| Field | Description |
|---|---|
app_sources |
Comma-separated git URLs for your application source code |
These URLs are embedded in the manifest field which is part of attestations, and is used to pull in all required source code to reproduce software.
Without source fields, third parties cannot independently reproduce and verify your deployment.
Network connectivity¶
Caution supports two modes for exposing your application to the network.
End-to-end encryption (recommended)¶
For full security, enable end-to-end encryption using STEVE (Secure Transport Encryption via Enclave):
Run the app on port 8083, that's the port STEVE uses to establish a proxy connection.
This requires:
- Procfile configuration: Set
e2e: trueand specify your application port - SDK integration: Integrate the STEVE SDK into your client application
With e2e enabled, data is encrypted on the client and only decrypted inside the enclave. The STEVE proxy runs on port 8080 inside the enclave and forwards decrypted traffic to your application.
See the Encryption concepts page for details on how STEVE works.
Direct port exposure¶
If you cannot use end-to-end encryption, you can expose ports directly:
When a single port is specified, it is automatically reverse-proxied through Caddy with TLS termination on port 443. For multiple ports, use http_port to specify which one Caddy should proxy — the rest are exposed as raw TCP (useful for P2P or binary protocols).
This establishes a connection from the enclave to the host without STEVE encryption. Traffic is still protected by TLS, but the encryption terminates outside the enclave rather than inside it.
Use this only when e2e encryption is not feasible for your use case.
Reproducibility requirements¶
For full verifiability benefits, your application must be reproducible. A reproducible build produces bit-for-bit identical outputs from the same inputs, allowing anyone to verify that your deployed binary matches your source code.
Without reproducibility, attestation can only prove that the deployment hasn't changed—not that it matches specific source code.
Making your application reproducible¶
To build reproducible applications, use StageX, a Linux distribution designed for full-source bootstrapping and deterministic builds. While other Linux distributions can be used, StageX is recommended as it was designed as a security first distribution.
See Verifiability for more on why reproducibility matters for confidential compute.
See also¶
-
Containerizing your app
Follow a practical guide to building reproducible containers with StageX.
-
Custom domains
Use your own domain name for deployments.
-
Procfile reference
Configure how your application builds and runs.
-
Verifiability
Learn why reproducibility matters for code integrity in confidential compute.