Tired of maintaining endless regex rules in traditional WAFs? Meet SafeLine, a free and open source Web Application Firewall with a semantic detection engine, dynamic protection, and over 16.4K GitHub stars. Itβs built for real-world attacksβand it's free and open-source.
π Dynamic Protection: Scramble Your Frontend, Every Time
SafeLine can dynamically obfuscate HTML and JS on each page load, making your source code unreadable to crawlers and bots.
-
/admin/loginbecomes a random encrypted path like/a8c9f1, and changes every refresh - Real users see no difference. Crawlers see... nothing.
π§ͺ BurpSuite Test Result:
Crawler blocked from indexing. Browser loads normally. Extra latency: ~1ms.
π‘ You can apply this selectively:
- Encrypt only admin paths
- Whitelist static files (CSS/JS) to avoid layout issues
π€ Bot Blocking That Actually Works
SafeLine doesn't rely on User-Agent headers. It verifies browser behavior:
- JS execution
- Fingerprinting
- Mouse movement
π« Bots fail.
β
Humans pass once, then proceed freely.
π§ͺ Tested: A Python script was blocked after 3 requests. The IP was locked for 30 mins. No CAPTCHA required.
You can tweak thresholds and customize the lock screen.
π§ Semantic Detection: Not Just Rule Matching
SafeLine doesnβt use static signatures. It understands what the payload is trying to do.
- Detects SQL injection like
1 AND 1=1, even if obfuscated - Blocks XSS via DOM-aware context, not pattern matching
π§ͺ Benchmark:
- 33,669 requests tested
- 575 malicious payloads
- β Detection rate: 71.65%
- β False positives: 0.07%
- β‘ Avg Latency: 1ms, >2000 TPS per core
𧱠Security for Admin Panel Access
- RBAC: Give ops read-only, engineers full control
- 2FA: TOTP-based, works with Microsoft Authenticator
-
CLI fallback:
docker exec safeline-mgt resetadminif you lose 2FA
π¬ Real-World Lab: WebGoat + SafeLine
docker run -d -p 8080:8080 registry.cn-shanghai.aliyuncs.com/kubesec/webgoat:v2023.8
Then reverse-proxy it via SafeLine under webgoat.test.
π§ͺ Test Attacks
- SQLi:
?id=1 UNION SELECT * FROM usersβ Blocked - XSS:
<img src=x onerror=alert(1)>β Blocked
β οΈ Troubleshooting Tips
| Issue | Fix |
|---|---|
| 502 Bad Gateway | Check upstream config and container networking |
| Broken UI | Whitelist static JS/CSS from encryption |
| Wrong IP in logs | Set CDN IPs as trusted to log real attacker IPs |
π Hardware: 2C/4G recommended for <1ms latency.
π Final Thoughts
SafeLine isn't just another regex-based WAF. It's:
- Free & open source
- No signature maintenance
- Semantic detection that works
- Handles 2000+ TPS/core
If you're running a self-hosted app or CTF challenge, this is the WAF to try.
π Links
- π GitHub Repository
- π Official Docs
- π¬ Discord Community
Top comments (0)