SafeLine is a self-hosted Web Application Firewall (WAF) and reverse proxy designed to shield web applications from common and advanced web-based attacks. Built in Go, it acts as an intermediary between clients and your backend servers, filtering malicious HTTP/S traffic before it reaches your application. SafeLine is purpose-built for organizations seeking full control over their web security without relying on third-party cloud services. With over 180,000 installations and protection for more than a million websites, it offers enterprise-grade detection accuracy (up to 99.45%) and low false positives, making it suitable for production environments.
Unlike cloud-based WAFs that require data to leave your infrastructure, SafeLine runs entirely on your own servers. This makes it ideal for compliance-sensitive industries, private networks, or teams wanting to avoid vendor lock-in. Its modular design supports real-time attack blocking, dynamic HTML/JS encryption, bot challenges, authentication gates, and IP-based rate limiting—all configurable via a simple dashboard or configuration files.
What You Get
- Block Web Attacks - Defends against SQL injection, XSS, OS command injection, CRLF, XXE, SSRF, path traversal, LDAP injection, and RCE by inspecting HTTP requests against a comprehensive rule set derived from CVEs and known exploit patterns.
- Rate Limiting - Prevents DoS attacks, brute force attempts, and traffic surges by enforcing request thresholds per IP address or endpoint; configurable with custom time windows and action policies (block, challenge, log).
- Anti-Bot Challenge - Presents interactive CAPTCHA challenges to suspected bots; legitimate users pass seamlessly while automated crawlers and scrapers are blocked without requiring API keys or user-agent filtering.
- Authentication Challenge - Requires visitors to enter a pre-configured password before accessing protected content, useful for staging environments or private APIs without full OAuth integration.
- Dynamic HTML & JS Protection - Encrypts and obfuscates HTML and JavaScript code on-the-fly during each client request, making it harder for attackers to analyze or inject malicious scripts via DOM manipulation.
- Web Access Control List (ACL) - Allows fine-grained control over which IPs, user agents, or referrers are permitted or denied access to specific endpoints or entire applications.
Common Use Cases
- Building a public-facing SaaS dashboard - Protects admin panels and user portals from automated SQL injection scans and credential stuffing attacks without modifying application code.
- Securing an API gateway for microservices - Acts as a reverse proxy to enforce rate limits, block malformed requests, and filter out malicious payloads before they reach backend services.
- Problem: Bot-driven form spam on WordPress site → Solution: SafeLine’s Anti-Bot Challenge - Blocks automated comment bots and form fillers using CAPTCHA, reducing spam by 98% without requiring plugins or database changes.
- Team: DevOps managing legacy apps with no security patches - Deploys SafeLine in front of outdated PHP or ASP.NET applications to provide modern WAF protections without refactoring or upgrading the underlying codebase.
Under The Hood
The project is a modular, multi-service security solution designed for web application protection, integrating policy enforcement across diverse gateway platforms like NGINX and Kong. It leverages a combination of Go, Lua, and C++ to deliver low-level request inspection and mitigation capabilities while maintaining extensibility through SDKs and plugin frameworks.
Architecture
This system adopts a service-oriented architecture with distinct modules handling specific responsibilities such as policy control, API management, and rule enforcement.
- Services are organized into tcontrollerd, webserver, and mcp_server with well-defined roles and communication paths
- Inter-service communication is facilitated through gRPC and REST APIs, enabling a layered data flow from API to model to RPC
- Middleware and shared utilities support cross-cutting concerns and promote reusable components across the system
Tech Stack
Built primarily in Go, with supporting components in Lua and C++, the project integrates modern backend tools and frameworks for microservices.
- The core is developed in Go, with Lua used for custom filtering and C++ for performance-critical operations
- Key dependencies include GORM for database interaction, resty for HTTP clients, and custom internal packages for core logic
- Development uses Docker, Makefiles, and proto generation scripts to support orchestration and dependency management
- Testing practices are present across modules, though not uniformly structured or documented
Code Quality
Code quality varies across the system, with some modules showing good structure and error handling while others exhibit inconsistency and technical debt.
- Testing efforts are present but not comprehensive, with limited coverage in core logic and no clearly defined testing framework
- Error handling is consistently applied across components, though practices differ between Go and Python modules
- Code style and naming conventions are inconsistent, with some modules following clear patterns while others lack structure
- Signs of duplicated logic and unclear module boundaries suggest moderate technical debt in parts of the codebase
What Makes It Unique
This project introduces a unique approach to web security by combining Lua-based filtering with multi-gateway support and extensible plugin architecture.
- Policy enforcement is unified across NGINX, Kong, and custom Lua filters, enabling consistent protection from edge to backend
- The lua-resty-t1k filtering engine allows for low-level request inspection without traditional proxy overhead
- A cross-language SDK ecosystem supports integration in diverse environments and enables third-party extensibility
- The modular design allows deployment flexibility across various infrastructure layers while maintaining consistent security policies