API Gateways like Apache APISIX are fast and flexible — but they’re not built to stop every attack.
If you’re exposing APIs to the internet, you’ll face SQL injection, XSS, SSRF, and bot traffic sooner or later.
That’s where SafeLine WAF comes in. Starting with APISIX v3.5.0, you can integrate SafeLine directly via the chaitin-waf plugin to inspect and block malicious requests in real-time.
Why Add a WAF to Your API Gateway?
APISIX handles load balancing, routing, and observability. But on its own, it can’t tell if this request is an attack:
POST /login
username=admin' OR '1'='1
With SafeLine WAF, that request gets stopped instantly:
{
"code": 403,
"message": "blocked by Chaitin SafeLine Web Application Firewall"
}
No false positives. No regex headaches. Just semantic-level attack detection.
Quick Integration (APISIX + SafeLine)
1. Configure SafeLine in TCP mode
Edit detector.yml:
bind_addr: 0.0.0.0
listen_port: 8000
Expose it in compose.yaml:
ports:
- 8000:8000
Restart SafeLine:
docker compose down && docker compose up -d
2. Run APISIX (Docker)
git clone https://github.com/apache/apisix-docker
cd apisix-docker/compose
echo 'APISIX_DOCKER_TAG=3.5.0-debian' >> .env
docker compose -f docker-compose-release.yaml up -d
3. Connect APISIX to SafeLine
curl http://127.0.0.1:9180/apisix/admin/plugin_metadata/chaitin-waf \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
-X PUT -d '
{
"nodes":[
{"host": "192.168.99.11", "port": 8000}
]
}'
4. Protect Your Routes
curl http://127.0.0.1:9180/apisix/admin/routes/1 \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
-X PUT -d '
{
"uri": "/*",
"plugins": { "chaitin-waf": {} },
"upstream": {
"type": "roundrobin",
"nodes": {"192.168.99.12:80": 1}
}
}'
Test It Out
Normal request works:
curl 'http://127.0.0.1:9080/'
SQL injection attempt is blocked:
curl 'http://127.0.0.1:9080/' -d 'a=1 and 1=1'
Result:
{
"code": 403,
"message": "blocked by Chaitin SafeLine Web Application Firewall"
}
And yes — you’ll see the event logged in SafeLine’s dashboard.
Why Developers Love This Setup
- APISIX → blazing fast API gateway
- SafeLine WAF → deep semantic security engine
- One integration → stops SQLi, XSS, SSRF, RCE, bots, and more
No external cloud dependency. 100% open source. Developer-friendly.
Try It Yourself
Don’t just take our word for it. Try SafeLine and test it against real-world payloads.
- GitHub: https://github.com/chaitin/SafeLine
- Docs: https://docs.waf.chaitin.com/
- Discord Community: https://discord.gg/dy3JT7dkmY
Top comments (1)
Great breakdown on API security! Combining APISIX with SafeLine definitely makes sense for modern infrastructures. While reading, it reminded me how important structured records and transparency are in different sectors. For example, Records Canyon County Roaster also highlights how legal systems manage sensitive information for public access.