FAIRVISOR
Gateway Failure Policy
When the gateway cannot call Fairvisor (timeout, DNS, network), choose an explicit policy.
Decision matrix
| Policy | Security posture | Availability impact | Typical use |
|---|---|---|---|
| Fail-closed | Strong | Higher risk of blocking good traffic | high-risk/regulated endpoints |
| Fail-open | Weaker | Better uptime under control-plane failures | low-risk/public traffic |
Timeout guidance
- keep gateway->edge timeout low (typically 200-500 ms)
- avoid unbounded auth call retries on hot path
- log and metric every fallback decision
Recommended default split
- write/update/admin endpoints: fail-closed
- read-only/public endpoints: fail-open (with alerting)
Operational requirement
Document the chosen policy per route and test both normal and failure paths in staging.