SafeLine
Self-hosted WAF with a custom semantic detection engine and ML-powered threat analysis that blocks web attacks without cloud dependency.
SafeLine is a self-hosted Web Application Firewall (WAF) that acts as a reverse proxy to shield web applications from malicious HTTP traffic. Deployed by over 180,000 teams worldwide, it protects against SQL injection, XSS, RCE, XXE, SSRF, path traversal, bot abuse, and HTTP flood DDoS by combining a proprietary semantic analysis engine with Nginx-based edge traffic interception.
Unlike signature-based WAFs that rely on static rule lists, SafeLine uses a custom C++ Finite State Automaton (FSA) compiler called yanshi to model attack patterns at a semantic grammar level — achieving 71.65% detection rate with only 0.07% false positives compared to ModSecurity’s 17.58% false positive rate at similar detection coverage.
Deployment is Docker-first with a seven-service compose stack covering management, detection, edge proxy, task scheduling, dynamic protection, and a chaos/bot-challenge service. A dedicated management API server handles rule publishing, traffic analytics, and authentication challenges with mandatory TOTP two-factor authentication. An optional MCP server exposes full WAF management to AI agents and automated toolchains.
What You Get
- Semantic Web Attack Detection - A custom C++ FSA compiler (yanshi) models SQL injection, XSS, RCE, SSRF, XXE, path traversal, and other OWASP Top 10 attacks at a grammar level rather than pattern matching, achieving 71.65% detection with only 0.07% false positives.
- Dynamic HTML & JS Encryption - Per-request encryption and obfuscation of HTML and JavaScript code in server responses, making client-side exploitation, scraping, and content theft significantly harder without changing how legitimate users experience the site.
- Anti-Bot CAPTCHA Challenge - Interactive challenge-response system that distinguishes human users from automated crawlers and bots, allowing humans through while silently blocking scrapers and credential stuffing bots.
- HTTP Flood & DDoS Rate Limiting - Granular per-URL rate limiting with IP-based throttling to mitigate HTTP flood and brute force attacks, with support for independent policies at the endpoint level for fine-grained traffic control.
- Authentication Challenge Gate - Optional password gate placed in front of any protected application, blocking all access until the visitor supplies a shared secret — useful for staging environments and private tools.
- Web Access Control Lists - Rule-based traffic controls based on IP address, geographic region, user agent, JA4 TLS fingerprint, and other request attributes for granular allow/deny logic.
- Attack Log Export & Alerting - Structured attack event logs with export capability and real-time alerts via Discord and Telegram, including JA4 fingerprint visibility in attack details for attacker attribution.
- MCP Server for AI-Driven Management - A native Model Context Protocol server that exposes complete WAF management and configuration APIs to AI agents, enabling automated security policy management and AI-assisted incident response.
- Multi-Protocol SDK Integrations - Native integration libraries for Kong, Nginx (lua-resty-t1k), Traefik, and ingress-nginx, allowing SafeLine’s detection engine to be embedded directly into existing reverse proxy infrastructure.
Common Use Cases
- Protecting public SaaS APIs - A SaaS provider deploys SafeLine in front of REST and GraphQL endpoints to block SQL injection probes, credential stuffing, and RCE exploit attempts using semantic analysis without tuning hundreds of custom regex rules.
- Securing e-commerce storefronts - An online retailer routes all web traffic through SafeLine to block bot-driven cart abuse, payment scraping, and XSS attacks during high-traffic events while using dynamic JS encryption to prevent client-side data theft.
- Hardening internal developer tools - A development team exposes Grafana, Kibana, and internal dashboards through SafeLine with authentication challenge enabled, adding a credential gate without modifying the underlying applications.
- Replacing cloud WAF for compliance - A financial services firm moves off a managed cloud WAF to SafeLine deployed on-premises, maintaining full traffic log custody for compliance audits while cutting per-request WAF licensing costs.
- AI-automated security policy management - A security team uses SafeLine’s MCP server to allow their AI operations platform to automatically update block rules, query attack logs, and generate incident reports without human dashboard access.
Under The Hood
Architecture SafeLine follows a microservice decomposition pattern where each concern is handled by a dedicated, isolated container: the management service (mgt) owns configuration, API, and user authentication; the detector service runs the semantic analysis engine; tengine (a hardened Nginx fork) handles edge traffic; luigi manages scheduled tasks and log pipeline work; fvm provides the bytecode runtime for detection rules; chaos handles bot challenges and dynamic protection; and PostgreSQL serves as the shared state store. These services communicate over a private Docker bridge network with fixed IP addresses, with the edge proxy (tengine) running in host network mode to intercept actual client traffic while calling back to the detection and management services through the internal network. This strict separation means the detection logic can be updated without touching the edge proxy configuration, and the management plane remains fully isolated from the data plane.
Tech Stack The management server and task scheduler are written in Go using the Gin web framework, with PostgreSQL accessed through GORM and gRPC used for internal RPC between the controller daemon and the webserver. The edge proxy is Tengine, an Nginx fork maintained by Alibaba, with custom Lua modules implementing the detection API bridge. The semantic detection engine at the heart of the system is written in C++ and uses yanshi — a proprietary FSA (Finite State Automaton) compiler that generates automata capable of recognizing approximate context-free grammars, enabling it to model attack patterns that standard regex cannot express. The MCP server is a standalone Go service that exposes the management API as a Model Context Protocol endpoint for AI agent consumption. Deployment is orchestrated entirely through Docker Compose with environment-variable-driven configuration.
Code Quality The Go management codebase follows conventional layered structure with clear separation between API handlers, models, middleware, and pkg utilities. Error handling uses structured error types from internal packages with explicit logging at boundaries. The yanshi C++ detection engine has a dedicated unit test suite covering core FSA operations including determinization, minimization, intersection, union, and difference — the most critical correctness-sensitive components. The MCP server includes schema validation tests. However, the Go management layer lacks a test suite beyond integration paths exercisable through CLI flags, and linting configuration is not visible in the repository. Authentication is handled with TOTP via the pquerna/otp library with client-server timestamp reconciliation to handle clock skew in time-bounded OTP validation.
What Makes It Unique The most technically distinctive element is yanshi, the project’s custom C++ FSA compiler that generates finite state automata capable of approximating context-free grammar recognition. This allows SafeLine to detect attack payloads embedded within complex nested structures — like SQL injections hidden inside JSON, Base64, or XML encoding — that signature-based WAFs miss because they cannot model the compositional structure of encoded attack vectors. The result is the unusually low 0.07% false positive rate at detection coverage that exceeds ModSecurity’s level-1 ruleset. Additionally, the MCP server integration is a genuinely forward-looking addition that positions SafeLine for AI-driven security operations — a pattern that commercial WAF vendors have not yet standardized.
Self-Hosting
SafeLine is released under the GNU General Public License v3.0. The GPL-3.0 is a strong copyleft license: you can use, modify, and distribute SafeLine freely, including in commercial environments, but if you distribute modified versions of the software you must release those modifications under the same GPL-3.0 terms. For most self-hosting scenarios — running SafeLine internally to protect your own web applications — copyleft obligations are not triggered, since you are not distributing the software to third parties. If you build a managed WAF service using SafeLine and distribute it to customers, you would need to make source modifications available.
Running SafeLine yourself requires Docker and Docker Compose as the minimum baseline. The full production stack deploys seven containers (management, detector, tengine edge proxy, luigi task scheduler, fvm bytecode runtime, chaos bot-challenge service, and PostgreSQL) across a private Docker bridge network. You are responsible for keeping containers updated as new releases ship (approximately every 2-3 weeks), managing the PostgreSQL database backups, provisioning TLS certificates, and monitoring service health. The commits_per_month metric from the GitHub API currently reports 0 (the repository uses tagged releases rather than frequent branch commits), but the release history shows consistent active development with over 100 releases since 2023 and the latest version released in June 2026.
SafeLine CE is the community edition — the version available in this repository. The project references Pro and Lite editions with additional capabilities including advanced traffic analysis dashboards, higher application limits, JA4 enhanced intelligence, dark theme for analytics, and expanded SSO user seat counts. These tiers appear to be available through the vendor’s managed offering. As a self-hoster on CE, you get the full detection engine and core WAF features but without the additional analytics depth, cluster/HA management tooling, and support SLAs that a paid managed tier would include. The Discord community and GitHub issues are the primary support channels for self-hosted deployments.
Related Apps
Caddy
Devops · Security
The only web server that obtains and renews TLS certificates automatically, with HTTP/1-2-3 support and zero dependency on external runtimes.
Caddy
Apache 2.0Traefik
Devops · Automation · Security
A cloud-native reverse proxy and load balancer that auto-configures itself from Docker, Kubernetes, and other orchestrators — zero manual routing required.
Traefik
MITVaultwarden
Password Manager · Security
Unofficial Bitwarden-compatible server in Rust — run the full Bitwarden ecosystem on a Raspberry Pi using every official client you already have, without the multi-container overhead.