One of the long-standing challenges with confidential computing has been building applications that do more than secure backend logic. TEEs excel at protected execution, secret key handling, and verifiable compute, but exposing a user-facing frontend from inside an enclave has always been awkward.
Developers typically had to rely on external proxies, manually managed TLS certificates, and domain routing pipelines that operated outside the TEE boundary. That meant extra tooling, inconsistent setups across providers, and, ironically, more opportunities for data to leave the secure boundary than most teams wanted.
The latest update to ROFL changes this dynamic in a meaningful way. ROFL now provides built-in proxy support and automated HTTPS endpoint creation, allowing applications to run both frontend and backend components entirely inside confidential environments.
This isn’t just a quality-of-life improvement, it shifts what “confidential apps” can practically look like.
A New Hosting Model for Confidential Apps
The new proxy layer in ROFL acts as the gateway between the public Internet and the enclave-based application. Instead of requiring developers to configure NGINX, Traefik, or bespoke proxy setups, ROFL now handles:
- Public endpoint creation
- Domain and subdomain assignment
- Certificate provisioning
- Routing to the correct enclave instance
- Secure transport through encrypted internal tunnels
From the developer’s perspective, hosting a frontend in ROFL now resembles deploying to a modern PaaS, only with hardware-backed confidentiality at every step.
What Deployment Looks Like
ROFL’s deployment flow remains container-based, but with an additional annotation step to declare the domain an app should serve from. After redeploying, the CLI provides DNS instructions for whichever domain the developer wants to use.
Once DNS is configured, a quick restart triggers certificate creation. Importantly, certificate keys are generated inside the enclave, and never leave it.
The proxy infrastructure routes based on TLS handshake metadata, not plaintext preserving the enclave’s data-isolation guarantees.
Read the Docs here: https://docs.oasis.io/build/rofl/features/proxy/
Why This Matters
This feature closes one of the last major gaps in building production-grade confidential applications:
- Developers no longer need external hosting for frontends.
- TLS is managed automatically with no key exposure.
- The entire app stack logic, state, and UI can live in a TEE.
- The operational burden of using enclaves drops significantly.
Confidential computing becomes far more approachable when deploying a secure app is as simple as annotating a compose file and configuring DNS.
In practical terms, teams can now build:
- Private DeFi dashboards.
- Agent interfaces that expose no sensitive state.
- Confidential admin panels.
- Encrypted multi-tenant applications.
- Verified compute services with secure user-facing UIs.
all running inside trusted hardware, with no external proxy infrastructure to maintain.
Closing Thoughts
ROFL has always focused on giving developers a general-purpose execution layer for verifiable, confidential off-chain logic. Adding native frontend hosting pushes it toward a true full-stack confidential compute platform.
The more that infrastructure fades into the background, the easier it becomes for developers to actually use these capabilities. This update moves the ecosystem one step closer to confidential applications that are secure by default—not secure with caveats.
Top comments (0)