Features

Comprehensive protection for web applications

DDoS Protection (Layer 7)

Rate limiting, Slowloris detection, burst protection, and adaptive throttling for application-layer attacks.

  • Per-IP rate limiting with configurable windows
  • Burst detection and adaptive throttling
  • Concurrent connection limits
  • Slowloris and slow POST detection

Bot Detection & Fingerprinting

Advanced browser fingerprinting to detect bot networks and automated attacks.

  • Canvas fingerprinting for unique browser signatures
  • WebGL fingerprinting (GPU vendor and renderer detection)
  • Font detection via canvas measurement
  • Hardware characteristics (CPU cores, memory, screen)
  • Bot network detection when multiple IPs share fingerprints
  • Headless browser detection (Puppeteer, Selenium, Playwright)

Challenge System

Multiple verification methods to ensure legitimate users.

  • JavaScript Challenge - Basic bot filtering
  • Proof-of-Work - Computational puzzle to make attacks expensive
  • hCaptcha - Privacy-focused CAPTCHA provider
  • Cloudflare Turnstile - Invisible challenge with best UX

Attack Prevention

Comprehensive protection against web application attacks.

  • SQL injection detection and blocking
  • XSS (Cross-Site Scripting) prevention
  • HTTP request smuggling detection (17 violation types)
  • Credential stuffing protection
  • Path traversal blocking
  • Command injection prevention
  • Input sanitization and validation

IP Management

Advanced IP control with 119+ configuration fields.

  • Whitelist and blacklist management
  • Time-based restrictions (business hours, specific days)
  • Path and method controls (allow/block specific endpoints)
  • GeoIP country blocking
  • ASN-based filtering
  • Request pattern matching (query params, headers, referers)
  • Content controls (file types, sizes, content-types)
  • Protocol requirements (HTTPS, TLS versions, HTTP/2)

IPv6 Support

Full dual-stack support with IPv6-aware security features.

  • IPv6 address parsing and validation
  • CIDR matching for IPv6 ranges
  • Private IPv6 range detection (ULA, link-local, loopback)
  • IPv6-aware rate limiting
  • Dual-stack GeoIP lookups
  • Performance: 43.98ns per IPv6 check

CSRF Protection

Comprehensive Cross-Site Request Forgery protection.

  • Server-side token validation
  • Double-submit cookie pattern (stateless)
  • Configurable token TTL and cookie settings
  • Per-endpoint exemptions

Simple Configuration

JSON-based configuration with no complex rule syntax.

  • Human-readable JSON format
  • Hot-reload support (planned)
  • No regex hell or complex directives
  • Environment variable support for secrets

Performance

Built in Go for maximum performance.

  • 10,000-50,000 requests/second throughput (tested)
  • 0.15ms average processing time
  • 350KB memory per request
  • Single binary deployment
  • Minimal external dependencies

Monitoring & Metrics

Built-in Prometheus metrics for observability.

  • Attack detection and blocking metrics
  • Rate limiting statistics
  • HTTP request/response tracking
  • Challenge completion rates
  • Fingerprint statistics