Detection modules

Modules run in phases as a request is read, and each contributes to one cumulative anomaly score. No module blocks on its own unless its score is worth it.

How inspection works

Detection is phased — connection → headers → body — and cooperative: every matched rule adds points by severity to the request's score, and the request is denied when the score crosses block_threshold. Verdicts are allow (forwarded), block (403), or reject (400 / 429 on a structural violation). See scoring configuration.

The catalogue

ModuleCatches
sqliSQL injection
xssCross-site scripting
rceRemote command / OS-command injection
path_traversalDirectory traversal (../ and encodings)
lfi_rfiLocal & remote file inclusion
ssrfServer-side request forgery, incl. cloud-metadata
ldapLDAP injection
nosqlNoSQL / query-operator injection
sstiServer-side template injection
ssiServer-side includes injection
xxeXML external entity
mailMail-header injection
scannerScanner / tool fingerprint (User-Agent)
header_injectionCRLF / response-splitting
request_smugglingHTTP request smuggling (CL/TE)

Each is enabled under its own [modules.<name>] table (all on by default in the sample config).

Anti-evasion normalization

Before a rule ever runs, input is folded into a canonical form so encoded attacks can't slip past: double-encoding-aware percent-decoding, Unicode NFKC, and a pipeline-wide overlong-collapse. A derived decode-then-match-then-discard channel also covers base64, HTML entities, tag/control stripping and VBScript concatenation, across multipart, JSON leaves and cookies.

Structural protocol validation

GraphQL and gRPC operations are validated on their shape — query depth, alias / field / directive counts, batch size, message size and nesting — not just their content. These are structural caps (a reject, not a score), opt-in per endpoint. Injection inside a field flows through the same normalization and scoring as any other input.

Importing CRS / ModSecurity rules

The core ships a seclang parser and subset evaluator, so you can load OWASP CRS or your own SecRule files as a module via [modules.crs]. A boot-time report lists any rules skipped as outside the supported subset.

Extending with WASM

A Proxy-Wasm runtime (on wasmi) loads a .wasm filter as a module, with fuel and memory caps and a fail-closed posture. The runtime is open; signature verification and a plugin marketplace are enterprise features.