WAF
Web Application Firewall for request inspection and blocking
Overview
The Scalix WAF inspects incoming requests at the gateway layer. It provides protection against common web attacks including SQL injection, XSS, and request flooding.
Features
- Request inspection — analyze headers, path, and body size
- IP blocking — block specific IPs and CIDR ranges
- Path and header matching — regex rules against request paths and header values
- SQL injection & XSS detection — built-in pattern rules you can enable per project
- Custom rules — combine a match pattern with a Block or Log action
Rule actions are Block (deny with 403) and Log (record only). Rate-limiting and geo-blocking rules are not yet enforced by the WAF engine, so the API rejects them rather than accepting configuration that would silently do nothing — use the platform's built-in per-key rate limits for throttling in the meantime.
Built-in Protection
The WAF automatically protects against:
| Attack Type | Protection |
|---|---|
| SQL Injection | Query pattern analysis |
| XSS | Script tag detection |
| Large Payloads | Request size limits |
Separately from WAF rules, the gateway applies per-API-key rate limits (429 responses) on all authenticated routes.
Configuration
WAF rules are configured at the project level through the API or console, and persist across platform restarts. Rules only ever apply to your own project's traffic.