Using Environment Variables and Secrets

June 01, 2026 5 min read Security

Security at the edge means threats are stopped before they reach your infrastructure. By implementing security logic in FastEdge workers, you can validate, filter, and block requests at the closest edge location to the user — providing the fastest possible response for legitimate traffic while protecting your origin servers.

This post looks at Using Environment Variables and Secrets — one of several security patterns available in the FastEdge Rust SDK.

What It Does

Store configuration and secrets in FastEdge — environment variables, encrypted secrets, and how to use them safely.

Processing security logic at the edge provides several benefits: reduced latency for end users (they don't need to round-trip to your origin just to get rejected), reduced load on origin servers (only validated requests reach them), and a smaller attack surface (malicious traffic is absorbed by the edge network).

Implementation

Here is how you implement this pattern using the FastEdge Rust SDK:

use fastedge::{
    body::Body,
    http::{Request, Response, StatusCode, Error},
};

#[fastedge::http]
fn main(req: Request<Body>) -> Result<Response<Body>, Error> {
    // Extract security-relevant headers
    let country = req.headers()
        .get("geoip-country-code")
        .and_then(|v| v.to_str().ok())
        .unwrap_or("unknown");

    let user_agent = req.headers()
        .get("user-agent")
        .and_then(|v| v.to_str().ok())
        .unwrap_or("unknown");

    // Block known bad actors at the edge
    if blocked_country(country) {
        return Response::builder()
            .status(StatusCode::FORBIDDEN)
            .header("content-type", "text/plain")
            .body(Body::from("Access denied"));
    }

    if is_malicious_agent(user_agent) {
        return Response::builder()
            .status(StatusCode::FORBIDDEN)
            .body(Body::from("Blocked"));
    }

    // Forward to origin
    Response::builder()
        .status(StatusCode::OK)
        .body(Body::from("Hello, verified user!"))
}

fn blocked_country(country: &str) -> bool {
    matches!(country, "XX" | "YY" | "ZZ")
}

fn is_malicious_agent(agent: &str) -> bool {
    agent.contains("curl") || agent.contains("python-requests")
}

Deploy

For the complete implementation with all features (rate limiting, IP allowlists, request transformation), clone the SDK repo and check the example:

git clone https://github.com/G-Core/FastEdge-sdk-rust.git
cd FastEdge-sdk-rust/examples/cdn/variables_and_secrets
cargo build --release
Important: Edge security complements — but does not replace — server-side validation. Always enforce critical authentication and authorization at the origin. Think of edge security as your first line of defense, not your only one.

Performance Impact

All security checks at the edge run in WebAssembly with sub-millisecond overhead. Header inspection, GeoIP lookups, and pattern matching add virtually no latency — typically 10-50µs per check. This means you can layer multiple security patterns without worrying about performance degradation.