Use coupon MC25OFF for 25% off!

Top-tier Minecraft hosting. Zero lag, instant setup.

View Plans
Compute
Dedicated Server
Pure bare-metal performance
VPS Hosting
Enterprise-grade virtual machines
Container Hosting
Run any Docker workload
DevSpace
Collaborative project containers
Database
Enterprise-grade MySQL hosting
Game Hosting
Minecraft Hosting
Ryzen 9 · AI-powered · 92 Tbps
 Security
Global Transit
92 Tbps DDoS protection
Tunnels
WAF-protected routing, no IP exposed
 Storage
SDX Storage
Edge object storage over HTTP/S
AI Colide
Colide AI
Most capable AI model & API studio
Colide Code
Agentic code assistant
 Tools
Server Stores
Web stores with payment integration
Server List
Find & promote Minecraft servers
Reseller Hosting
Whitelabel VPS Reseller Hosting
Security by Design · Every Container · Always On

Built to be secure by default.

Every DevSpace container runs inside hardened Docker isolation, behind 92 Tbps DDoS scrubbing, with zero shared memory between workloads. Security isn't a feature — it's the foundation.

Start for free Back to DevSpace
92 Tbps DDoS protection
Full container isolation
Zero shared memory
Encrypted at rest & transit

Seven layers.
One secure container.

DevSpace wraps every container in a layered security model — from edge-level DDoS scrubbing all the way down to kernel-level restrictions inside Docker. Each layer operates independently so a breach in one never compromises another.

Explore container isolation
Security stack — top to bottom
7
Edge DDoS Scrubbing
92 Tbps capacity · 3rd-gen filtering
active
6
IP Whitelisting & Firewall
Per-port CIDR rules · instant effect
active
5
TLS Termination
Auto-provisioned certificates · TLS 1.3
active
4
Docker Network Isolation
Private bridge per container · no cross-talk
active
3
Docker Runtime Hardening
Read-only fs · dropped capabilities · seccomp
active
2
Resource Isolation
cgroup limits · no memory sharing
active
1
Kernel Namespace Isolation
PID · net · mount · user namespaces
active
container-runtime.conf
1# DevSpace Docker hardening profile
2
3security_opt:
4 - no-new-privileges:true
5 - seccomp:devspace-strict.json
6 - apparmor:devspace-profile
7
8cap_drop: # drop ALL first
9 - ALL
10cap_add: # add back only what's needed
11 - NET_BIND_SERVICE
12
13read_only: true
14network_mode: devspace-bridge-{id}
15pid_mode: private
16ipc_mode: private
17
18mem_limit: {plan_ram}g
19cpus: {plan_vcpu}
20pids_limit: 512

Hardened Docker.
Zero compromise.

Every DevSpace container runs under a strict Docker security profile — not the defaults. We drop all Linux capabilities and add back only what's strictly necessary. No shared IPC. No shared PID namespace. No privilege escalation paths.

Seccomp + AppArmor profiles. A custom syscall allowlist blocks all non-essential kernel calls. AppArmor further restricts filesystem access at the OS level.

Read-only root filesystem. The base container layer is mounted read-only. Only designated writable volumes can be written to — no silent filesystem tampering.

PID limit enforcement. Each container is hard-capped on the number of processes it can spawn, preventing fork bombs and runaway process trees.

no-new-privileges flag. Processes inside the container can never gain more privileges than they started with — setuid binaries are silently ignored.

Network isolation.
Containers can't see each other.

Each container gets its own private Docker bridge network. There is no shared network interface, no inter-container routing, and no broadcast domain. Your workload is invisible to every other tenant on the platform.

Per-container bridge network. A dedicated virtual network interface is created for each DevSpace. Containers on the same physical host cannot communicate by default.

Egress filtered at host. Outbound traffic rules are enforced at the host iptables level, not just inside the container — so they can't be bypassed even with root inside Docker.

Port forwarding is explicit-only. No ports are exposed by default. You forward only what you choose, and each forwarded port goes through DDoS scrubbing before reaching your container.

Network traffic inspection
internet → edge scrub.ddos filter filtered
edge → firewall ip_whitelist check filtered
firewall → tls TLS 1.3 termination encrypted
tls → container bridge:devspace-{id} allowed
container → container iptables DROP rule blocked
container → host namespace boundary blocked
unexposed port not reachable externally blocked
allowed / encrypted
blocked
filtered/scrubbed

92 Tbps scrubbing capacity. Every forwarded port, every container — absorbed and filtered before it reaches your workload.

Volumetric attack absorption. SYN floods, UDP amplification, ICMP floods — all absorbed at the edge before packets reach your container's IP.

Layer 3/4 filtering. Malformed packets, spoofed source IPs, and invalid TCP states are dropped at line rate by hardware filtering appliances at each PoP.

Game-server grade. UDP port forwarding is fully supported — with the same DDoS protection as TCP. Ideal for Minecraft, voice servers, and real-time apps.

security-audit.log
[2025-04-06 09:12:01] INFO Container devspace-a8f3c2 started
[2025-04-06 09:12:01] OK   Seccomp profile loaded: devspace-strict
[2025-04-06 09:12:01] OK   AppArmor profile applied
[2025-04-06 09:12:01] OK   Capabilities: dropped ALL, added NET_BIND_SERVICE
[2025-04-06 09:12:02] OK   Network bridge devspace-bridge-a8f3 created
[2025-04-06 09:12:02] OK   iptables: inter-container DROP rules applied
[2025-04-06 09:12:02] OK   Port 3000 → DDoS scrubber → 45.76.22.11:3000
[2025-04-06 09:12:03] OK   TLS cert provisioned for devspace-a8f3.shulker.in
[2025-04-06 09:14:38] WARN Blocked: privilege escalation attempt via setuid
[2025-04-06 09:14:38] OK   no-new-privileges: escalation silently denied
[2025-04-06 09:18:11] WARN DDoS: 4.2 Gbps flood absorbed on port 3000
[2025-04-06 09:18:11] OK   Scrubber active — container unaffected
root@devspace-a8f3c2:~#

Real-time audit.
Every event logged.

Security events are captured from container start to shutdown — capability changes, network rule activations, DDoS events, and privilege escalation attempts are all logged in real time.

Startup attestation. Every security control is verified at container boot. If a profile fails to load, the container doesn't start.

Privilege escalation detection. Any attempt to gain elevated privileges is logged and silently denied before it reaches the kernel.

DDoS event visibility. When an attack is absorbed, you see it — attack volume, duration, and scrubber status — in your container log.

Every container, fully covered.

No add-ons. No security tiers. Every feature below applies to every DevSpace — free or paid.

Full Container Isolation

Each DevSpace runs in its own Docker container with private PID, network, mount, and user namespaces. No process or file can leak between containers on the same host.

92 Tbps DDoS Protection

All forwarded ports — TCP and UDP — are routed through high-capacity DDoS scrubbing infrastructure. Volumetric floods are absorbed at the edge before reaching your IP.

TLS 1.3 Everywhere

Domain-mapped ports get auto-provisioned TLS certificates. All web traffic is encrypted in transit. Certificates are renewed automatically — zero maintenance.

Seccomp & AppArmor

A custom seccomp filter restricts the syscalls containers can invoke. AppArmor profiles further constrain filesystem and network access at the OS kernel level.

Capability Restriction

All Linux capabilities are dropped by default. Only the minimum required capabilities are granted. setuid and setgid binaries cannot escalate privileges inside the container.

IP Whitelisting & Firewall

Lock any forwarded port to specific IP addresses or CIDR ranges. Rules take effect instantly at the edge — not inside the container where they could be bypassed.

cgroup Resource Limits

CPU, RAM, and PID counts are enforced by Linux cgroups at the host level. A runaway process inside your container cannot affect other containers or the host system.

Read-Only Root FS

The base container filesystem is mounted read-only. Persistent data lives on isolated volumes. Silent filesystem modification by compromised processes is structurally impossible.

Encrypted at Rest

Container volumes and persistent storage are encrypted at rest using AES-256. Disk images cannot be read without the per-container encryption key, which never leaves our KMS.

Kernel namespaces.
Total process separation.

Namespaces are Linux's foundational isolation primitive — and Docker uses all of them. Each DevSpace container gets its own isolated view of PIDs, networking, mounts, hostname, user IDs, and IPC. What happens inside stays inside.

net
Network namespace
Separate IP stack, routes, interfaces
pid
PID namespace
Process tree starts at PID 1, invisible to host
mnt
Mount namespace
Isolated filesystem view, separate mounts
user
User namespace
UID/GID remapping, no real root on host
ipc
IPC namespace
Shared memory segments and semaphores isolated
uts
UTS namespace
Independent hostname and domain name
Private PID + network namespace
No shared memory (IPC isolated)
UID remapping — no real root
Isolated mount + UTS namespace

Granular access control.
Share safely.

When you share a DevSpace with a collaborator, you decide exactly what they can touch. File manager access, terminal access, and port visibility are all individually scoped — not all-or-nothing.

Role-based collaboration. Grant read-only, file-only, terminal-only, or full access to each collaborator independently.

Session-scoped tokens. Collaboration links expire. Sessions are token-bound and cannot be replayed after expiry.

Instant revocation. Remove a collaborator's access at any time — their session is terminated within seconds, no container restart needed.

Collaborator permissions
User TerminalFilesPortsRestart
JR
SN

Secure infrastructure.
Zero effort.

Every security feature on this page is active by default in every DevSpace — no configuration needed.

Start for free Back to DevSpace

Security
questions

Can another tenant on the same host see my container?

No. Kernel namespaces give each container an isolated view of the system. Containers on the same physical host operate in completely separate PID, network, and mount namespaces — they are invisible to each other by design.

Does root inside my container mean root on the host?

No. We use user namespace remapping so the root user inside your container maps to an unprivileged UID on the host. Combined with no-new-privileges and dropped capabilities, there is no privilege escalation path to the host kernel.

Is my data encrypted when the container is stopped?

Yes. Container volumes and persistent storage are encrypted at rest with AES-256. The encryption keys are managed by our KMS and are never accessible from within the container itself.

Can I use UDP ports for game servers?

Yes. Port Manager supports TCP, UDP, or both on any port. UDP forwarding goes through the same 92 Tbps DDoS scrubbing as TCP — game-server attacks are fully absorbed.

What happens if my container gets attacked?

The DDoS scrubber absorbs the attack at the edge before it reaches your container IP. Your workload continues running unaffected. The event is logged in your container audit log so you can see exactly what happened.

Can collaborators access things I have not explicitly granted?

No. Permissions are allowlist-based — collaborators only have access to the capabilities you explicitly grant. Terminal, file manager, ports, and container restart are each individually scoped.

Are the seccomp and AppArmor profiles customizable?

The base profiles cannot be weakened — they are enforced at the host level. However you can request additional capability grants for specific use cases through our support channel.

Is traffic between my container and my domain encrypted?

Yes. Domain-mapped ports get auto-provisioned TLS certificates (Let's Encrypt or custom). All inbound traffic is TLS 1.3 terminated before it reaches your container. Certificates renew automatically.