Web Application Firewall

Risk accumulates.
The threshold decides.

Light WAF inspects every request, scores it against your rules, and blocks when the score crosses the line — with a control panel that shows you exactly why.

Open core (Apache-2.0)Rust · zero-fork extension
req-7f3a9c21 · POST /api/login▲ blocked
0accumulated score
criticalwarningnotice
How it decides

No single rule blocks a request. The score does.

Every module that matches contributes points by severity. When the cumulative anomaly score crosses your block threshold, the request is denied. Tuning the WAF is tuning that one relationship — not editing rules by hand.

01 · INSPECT

Every phase, every request

Connection, headers, body — native detectors and CRS rules examine each request as it's read, in order.

02 · SCORE

Severity becomes points

A critical adds 6, a warning 3, a notice 2. Two weak signals together weigh as much as one strong one.

03 · DECIDE

Cross the line, get blocked

At the threshold the verdict flips to blocked — and the full breakdown is stored for the drill-down.

Capabilities

A firewall, an operations console, and a governance layer.

Everything below the core is opt-in and default-off — turn it all off and you have exactly the standalone OPEN WAF.

Protect — the data path

Detection pipeline

SQLi, XSS, RCE, path traversal, SSRF, LDAP/NoSQL/SSTI and more — plus the CRS rule engine — score every request cooperatively.

Cluster-wide rate limiting

One token-bucket budget shared across every node via Redis, with atomic server-side accounting. No node over-allows.

IP reputation & threat feeds

Score client IPs from your bl​ocklists; a single-writer feed keeps the shared reputation fresh and self-expiring.

Managed TLS

Hitless ACME certificates (TLS-ALPN-01 or DNS-01 wildcards), plus mutual-TLS client auth. Fail-closed, never a silent downgrade.

Schema enforcement

Validate every GraphQL and gRPC operation against your app's real schema — a field the real client never sends is a probing signal.

Signed WASM plugins

Extend detection with your own WASM modules, gated by a detached minisign signature. A plugin that fails verification never loads.

Operate — the control panel

Control-plane dashboard

A single pane over the whole cluster: block rate, traffic disposition, denied-event volume and per-node latency.

Verdict drill-down

Open any blocked request and see the accumulated score broken down per rule and severity — exactly why it was stopped.

Alerting

Fire on per-IP or per-rule bursts within a window, with cooldowns, and push to a webhook. Attack signatures surface themselves.

Governed rule management

Publish and roll back ruleset versions from the dashboard; a per-node agent validates and hot-reloads, and you watch convergence.

Govern — access & evidence

RBAC & SSO

Viewer / operator / admin roles, local accounts, and OpenID Connect single sign-on backed by HttpOnly session cookies.

Signed audit log

Every action is written to a hash-chained, Ed25519-signed log — tamper-evident and verifiable on demand.

Compliance evidence

Generate a signed SOC2 / PCI evidence bundle for any period — access control, audit integrity, WAF effectiveness, incidents.

SIEM export

Push denied verdicts, audit records and alerts to your SIEM as versioned ECS-like NDJSON, at-least-once, with visible lag.

The control panel

See what your WAF is doing — and why.

A React dashboard over the whole cluster: monitor traffic, drill into any blocked request, manage rules, and produce compliance evidence.

overview
Light WAF dashboard — overview with block rate, traffic disposition and latency
Overview. Block rate, traffic disposition, denied-event volume and per-node latency at a glance.
event drill-down
Light WAF event drill-down with the Verdict Meter and score breakdown
Verdict drill-down. The accumulated score, broken down per rule and severity.
compliance
Light WAF compliance report — signed SOC2/PCI evidence bundle
Compliance. A signed SOC2 / PCI evidence bundle, generated for any period.
Editions

An open core, extended without forking it.

The enterprise tier plugs into the core's extension seams through the builder — the same physical shape as a separate repository.

Apache-2.0 · public

OPEN core

A complete, standalone WAF — on GitHub and crates.io.

  • Reverse proxy + detection pipeline
  • Native rule modules + CRS engine
  • TLS termination from file
  • Single-node rate limiting
  • Prometheus metrics + decision log
BSL 1.1 · commercial

Enterprise tier

At-scale and governed capabilities on top — available commercially.

  • Cluster-wide rate limit + IP reputation
  • Managed ACME TLS + curated premium rules
  • GraphQL/gRPC schema enforcement, bot detection
  • control panel, dashboard & governed rule management
  • RBAC/SSO, signed audit, compliance & SIEM export
Where the line is — the full map & the rules that hold it →

Run it, tune the threshold, watch the verdicts.

The open core is on GitHub and crates.io. The enterprise tier — control panel, governance, compliance, SIEM — is available commercially.