ScalixScalix Docs
Sign up

WAF

Web Application Firewall for request inspection and blocking

Overview

The Scalix WAF inspects incoming requests at the gateway layer. It provides protection against common web attacks including SQL injection, XSS, and request flooding.

Features

  • Request inspection — analyze headers, path, and body size
  • IP blocking — block specific IPs and CIDR ranges
  • Path and header matching — regex rules against request paths and header values
  • SQL injection & XSS detection — built-in pattern rules you can enable per project
  • Custom rules — combine a match pattern with a Block or Log action

Rule actions are Block (deny with 403) and Log (record only). Rate-limiting and geo-blocking rules are not yet enforced by the WAF engine, so the API rejects them rather than accepting configuration that would silently do nothing — use the platform's built-in per-key rate limits for throttling in the meantime.

Built-in Protection

The WAF automatically protects against:

Attack TypeProtection
SQL InjectionQuery pattern analysis
XSSScript tag detection
Large PayloadsRequest size limits

Separately from WAF rules, the gateway applies per-API-key rate limits (429 responses) on all authenticated routes.

Configuration

WAF rules are configured at the project level through the API or console, and persist across platform restarts. Rules only ever apply to your own project's traffic.