Encrypted Client Hello policy

Encrypted Client Hello (ECH) is available as a project setting for TLS traffic terminated by the edge.

That makes it possible to hide SNI and ClientHello metadata without rolling separate changes through every application. One project keeps a consistent ECH posture across published endpoints and project-scoped engine surfaces that terminate TLS.

The setting supports preferred and required. preferred uses ECH when the client and DNS path support it, while keeping the standard TLS fallback path available. required rejects non-ECH handshakes and therefore limits the affected terminated surfaces to TLS 1.3 traffic.

ECH depends on valid DNS HTTPS or SVCB publication for the project hostname and on engine-side ECH configuration for the cluster. TLS passthrough remains excluded because the edge does not terminate the handshake. Community Edition deployments do not enforce this policy.

rstream Go CLI 1.12.0 and later includes the transport-side behavior needed for ECH-aware CLI workflows.

For the runtime policy model and transport-side DNS behavior, refer to Access Policies and Tunnel Transports.