Protect Your Web Applications Against
Modern Cyber Threats & L7 DDoS Attacks
WafWay is an enterprise-grade, self-hosted Web Application Firewall (WAF) designed to protect your web applications against SQL injection, XSS, OWASP Top 10 threats, and L7 DDoS attacks. Built with Go for maximum performance, WafWay includes interactive human verification challenges, Redis distributed state sharing, PostgreSQL enterprise storage, and multi-region DC/DR support.
Independently tested against 704+ attack payloads across 16+ threat areas. New: Interactive "Verify you are human" challenge with SHA-256 proof-of-work stops automated L7 DDoS attacks while letting real users through in under 3 seconds.
Union, Boolean, Time-based, Stacked queries
Reflected, Stored, DOM-based, Polyglots
External entities, Billion laughs, OOB
Shell commands, Reverse shells
Directory traversal, Null bytes
File inclusion, Cloud metadata
Tested with: SQLMap, Burp Suite, OWASP ZAP, Nikto, Nmap, DirBuster, Acunetix, Custom Payloads
OWASP Top 10 & Extended Threat Coverage — All 16 categories tested and blocked
| # | Threat Category | Attack Scenarios Tested | Result |
|---|---|---|---|
| A01 | Broken Access Control | Forced browsing, IDOR, method tampering | BLOCKED |
| A02 | Cryptographic Failures | HTTP downgrade attempts, insecure headers | BLOCKED |
| A03 | Injection | SQLi, NoSQLi, OS command injection, LDAP injection | BLOCKED |
| A04 | Insecure Design | Abnormal request sequencing, logic abuse | BLOCKED |
| A05 | Security Misconfiguration | .env, .git, backup file access, directory listing | BLOCKED |
| A06 | Vulnerable Components | Known exploit payloads targeting outdated libraries | BLOCKED |
| A07 | Authentication Failures | Brute force login, credential stuffing | BLOCKED |
| A08 | Data Integrity Failures | Payload tampering, insecure deserialization | BLOCKED |
| A09 | Logging & Monitoring | Stealth attacks, evasion attempts | DETECTED & LOGGED |
| A10 | Server-Side Request Forgery | Internal IPs, cloud metadata URLs | BLOCKED |
| E01 | Cross-Site Scripting (XSS) | Reflected, Stored, DOM-based XSS | BLOCKED |
| E02 | Cross-Site Request Forgery | CSRF token bypass attempts | BLOCKED |
| E03 | Path Traversal / File Inclusion | ../ traversal, LFI, RFI | BLOCKED |
| E04 | Bot Attacks & Automated Abuse | Credential stuffing, scraping, automation | BLOCKED |
| E05 | API Abuse & Parameter Tampering | Invalid methods, excessive requests | BLOCKED |
| E06 | Evasion & Encoding Techniques | Unicode, double encoding, HTTP pollution | BLOCKED |
Controlled attack simulations validated detection accuracy, blocking effectiveness, application stability, and logging integrity. Tests included automated and manual crafted payloads.
WafWay handles advanced evasion techniques including Unicode and multi-layer encoding attacks, protocol abuse, and modern framework-specific threats (Angular, Vue, React). No noticeable performance degradation observed during testing.
Residual Risk Level: Low (Post-WAF Protection)
Everything you need to secure your web applications
OWASP CRS-inspired detection with 45+ patterns covering union, boolean, time-based, and stacked query attacks.
Comprehensive cross-site scripting detection including reflected, stored, and DOM-based attacks.
Industry-standard bcrypt password hashing with cryptographically secure token generation.
Enterprise PostgreSQL with connection pooling (RDS compatible) or SQLite for smaller deployments.
Create, update, and delete custom WAF rules. Define patterns, actions, and priorities.
Time-series traffic data, top paths analysis, and attack logging. Export via REST API.
Block traffic by country, detect VPNs, Tor exit nodes with MaxMind GeoIP integration.
Interactive "Verify you are human" click-to-verify with SHA-256 proof-of-work. Stops bots, passes humans in <3s.
Allow → Challenge → Block. Configurable soft threshold triggers human verification before hard blocking.
Share rate limits, challenge passes, IP bans across multiple WAF instances. ElastiCache compatible.
HSTS, Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORS whitelist.
Passive endpoint inventory from live traffic. Detects shadow APIs, infers JSON schemas, flags PII/PCI parameters by name and value shape.
Native /metrics, /healthz, /readyz endpoints with low-cardinality labels. Pre-built Grafana dashboard for traffic, blocks, latency, backend health.
Statistical baselines per host / session / IP. Flags traffic that deviates from learned normal — without static rules.
TOTP multi-factor authentication, role-based access control, and a tamper-evident chain-hashed audit trail of every admin action.
Disable specific detectors per backend or per URL path. One WAF, many tuning profiles — protect chatty APIs differently from marketing sites.
Auditor-ready evidence reports for PCI-DSS 4.0, SOC 2 Type II, HIPAA, and GDPR generated on demand.
New routes, rate limits, virtual patches — all applied instantly from the admin UI. Zero restart, zero traffic gap.
Route by host AND path with priority & wildcards. Weighted load balancing, health-aware failover, WebSocket parity.
Inspects outbound bodies for credit cards (Luhn-validated), SSNs, API keys, and stack traces. Mask, block, or log.
Native Splunk HEC, Elasticsearch, syslog (RFC 5424 / CEF / LEEF). Generic webhooks with Slack, Teams, PagerDuty formatters.
Block, log, challenge, or bypass-categories per CVE. Detects HTTP request smuggling (CL.TE / TE.CL desync) before it reaches your app.
Deploy in 5 minutes - WafWay sits between the internet and your application
Users & Attackers
Inspect, Challenge & Filter
Clean Traffic Only
How it works: When a client exceeds the soft rate limit threshold, WafWay serves an interactive challenge page. A SHA-256 proof-of-work runs silently in the browser, then the user clicks a checkbox to confirm they're human. Verified users receive a 30-minute pass. Bots and automated scripts that cannot execute JavaScript or click the checkbox are effectively blocked.
EC2, Compute Engine, Azure VM. Single binary behind your cloud load balancer.
Alpine-based image. Helm charts. ConfigMap support. Horizontal scaling with Redis.
Single binary, zero dependencies. Systemd service with auto-restart. amd64 & arm64.
Contact us for a demo or to discuss your security requirements
ConceptGood Consultants is an AI Product Development and Consulting firm based in Pune, India. We specialize in building intelligent solutions that transform how businesses operate.