Pomerium is identity-aware proxy; trust depends on correct policy and certificate setup.\n\n## Policy Hardening\n\n- Define least-privilege route policies.\n- Restrict wildcard routes and broad allow rules.\n- Validate identity provider claims and group mapping.\n\n## Edge Security\n\n- Enforce TLS and secure cookie settings.\n- Protect shared secrets and signing keys.\n- Monitor denied requests and policy bypass attempts.