The HTTP-facing layer between the internet and your application. Pairs with host-hardening for the box itself, app-deployment for what sits behind it, and data-tier-hardening for the persistence layer further back. Read the TLS piece first if you are configuring a new edge; read the rate-limiting piece after you have seen your first real auth-endpoint burst.