Secure-by-default, requirement by requirement
The CRA's essential product requirements — no default passwords, least privilege, secure updates — as a checklist you can actually work.
The CRA's essential requirements aren't abstract — they're a product checklist. Here are four that catch most teams, framed as things you can actually verify.
1
No default passwords
Ship with unique or forced-change credentials. A shared default password is an explicit CRA failure.
2
Secure by default
The out-of-the-box configuration is the hardened one — attack surface minimised unless a user deliberately opts in.
3
Least privilege & data protection
Components run with the minimum rights they need; data at rest and in transit is protected.
4
Secure updates
Signed updates over an authenticated channel — plus a way to tell users about security fixes.
this is Proofwright
It's live.
See the real thing at Proofwright.