SafeLine is a self-hosted Web Application Firewall (WAF) that acts as a reverse proxy to shield web applications from malicious HTTP traffic. Designed for developers and DevOps teams, it protects against common web exploits like SQL injection, XSS, RCE, path traversal, and bot-driven attacks without requiring cloud dependency. With over 180,000 installations and 30B daily requests handled, it’s built for production use.
Built on Nginx and Go, SafeLine integrates ML-powered semantic analysis for threat detection, dynamic code obfuscation, IP-based rate limiting, and authentication challenges. It supports deployment via Docker, binary, or Helm, and offers a unified dashboard for managing multiple web apps with real-time attack logs and exportable analytics.
What You Get
- Intelligent Web Threat Detection - Uses ML-powered semantic analysis to detect SQL injection, XSS, RCE, XXE, SSRF, path traversal, and other OWASP Top 10 threats with 99.995% detection rate and 0.007% false positive rate.
- Dynamic HTML & JS Encryption - Automatically obfuscates and encrypts HTML and JavaScript code on-the-fly during each request, making client-side exploitation and scraping significantly harder.
- Anti-Bot Challenge with CAPTCHA - Blocks malicious crawlers and bots using interactive CAPTCHA verification while allowing legitimate human users to proceed seamlessly.
- HTTP Flood & DDoS Protection - Implements intelligent traffic orchestration and rate limiting to mitigate HTTP flood attacks and prevent service degradation during traffic surges.
- Authentication Challenge - Requires visitors to enter a password before accessing protected web apps, adding an extra layer of identity verification for sensitive endpoints.
- Web Access Control Lists (ACLs) - Defines granular rules to allow or block traffic based on IP addresses, user agents, or geographic regions for fine-grained access control.
- Attack Logs Export & Notifications - Exports attack logs in structured formats and sends real-time alerts via Discord and Telegram for proactive incident response.
- Geo-Blocking - Blocks traffic from specific countries to comply with data residency laws or reduce attack surface from high-risk regions.
Common Use Cases
- Securing e-commerce payment gateways - An online retailer uses SafeLine to block bot-driven cart abuse, credit card scraping, and SQL injection attempts during Black Friday sales with dynamic JS encryption and rate limiting.
- Protecting SaaS APIs - A SaaS provider deploys SafeLine in front of their REST and GraphQL endpoints to prevent API abuse, RCE exploits, and credential stuffing attacks using ML-based anomaly detection.
- Hardening content delivery platforms - A media company uses SafeLine to stop unauthorized content scraping and geo-restricted access violations with IP-based ACLs and dynamic code obfuscation.
- Self-hosting enterprise web apps - A financial institution runs SafeLine on-premises to secure internal dashboards and admin panels without relying on third-party cloud WAFs, using authentication challenges and attack log exports for compliance.
Under The Hood
Architecture
- Microservice architecture with clearly separated components including management, detection, virtual machine runtime, edge gateway, and workflow scheduler, each running in isolated containers with defined network boundaries
- Layered communication model enforces separation of control and data planes, with the edge gateway routing control traffic while detection and runtime components communicate via internal endpoints
- Modular deployment units with dedicated volumes for logs, configurations, and sockets ensure state isolation and prevent cross-service contamination
- Frontend UI decoupled from backend via API gateway, with versioned releases and environment-aware image tagging supporting rolling updates and backward compatibility
Tech Stack
- Go-based microservices communicating through internal APIs and Unix sockets for low-latency inter-process communication
- PostgreSQL serving as the centralized state store with structured migrations and connection pooling configured via environment variables
- Nginx-based reverse proxy with custom modules for traffic routing, caching, and security enforcement at the edge
- Docker Compose orchestrates multi-container deployment with health checks and volume-mounted configurations for consistent environments
- Luigi workflow scheduler integrated for automated task execution, persisting state through the same database as the management layer
Code Quality
- Test suites lack structured frameworks, relying on imperative main functions with embedded test data and no assertion libraries
- Code organization follows procedural patterns with monolithic test files that mix data, logic, and output, violating separation of concerns
- Error handling depends on low-level system calls and assertions without recoverable error states or custom exception types
- Inconsistent naming conventions and cryptic abbreviations reduce code readability and onboarding efficiency
- Limited type safety with heavy use of raw integers and absence of static analysis or linting tools increases risk of runtime errors
What Makes It Unique
- Real-time WAF telemetry system that correlates attack events across distributed nodes with automated false positive reporting
- Two-layer detection architecture that separates basic event metadata from detailed analysis logs for scalable processing
- Time-bound OTP validation with client-server timestamp reconciliation to prevent replay attacks without external time services
- Centralized API client with singleton pattern and dynamic configuration for secure, authenticated edge-to-management communication
- Built-in telemetry framework that auto-serializes detection events into standardized JSON schemas for seamless analytics integration
- Mandatory TFA binding enforced at first login with dynamic QR generation tied to persistent user state, eliminating configurable bypasses