Kong is a fast, cloud-native API gateway built to handle high-performance traffic routing, security, and observability for microservices. To further boost its security capabilities, you can integrate it with SafeLine WAF—a powerful open-source web application firewall.
In this guide, we’ll walk through how to install and configure the SafeLine plugin for Kong, test that it’s working, and block common attacks with ease.
Installing the SafeLine Plugin in Kong
Kong supports custom plugins written in Lua, which can be installed using LuaRocks. If you’ve installed Kong via the official package, luarocks should already be available on your system.
To install the SafeLine plugin:
luarocks install kong-safeline
Then, update your Kong configuration file (kong.conf) to enable the plugin:
plugins = bundled,safeline
This tells Kong to load both the default (bundled) plugins and the newly installed safeline plugin.
Finally, restart Kong to apply the changes:
kong restart
Configuring SafeLine for a Service
Once installed, you can enable the SafeLine plugin on specific services in Kong. You'll need to pass in the SafeLine detector host and port (as set up in your SafeLine deployment):
curl -X POST http://localhost:8001/services/{service}/plugins \
--data "name=safeline" \
--data "config.safeline_host=<detector_host>" \
--data "config.safeline_port=<detector_port>"
Make sure to replace {service}, <detector_host>, and <detector_port> with your actual service name and SafeLine configuration.
Testing SafeLine WAF with Kong
You can verify the WAF integration by simulating a basic attack. For example, try sending a SQL injection-like request:
curl -X POST http://localhost:8000?1=1%20and%202=2
If everything is set up correctly, you should receive a response like this:
{
"code": 403,
"success": false,
"message": "blocked by Chaitin SafeLine Web Application Firewall",
"event_id": "8b41a021ea9541c89bb88f3773b4da24"
}
You can also log into the SafeLine dashboard to view detailed information about the blocked request, including payload, headers, and risk classification.
Summary
By combining Kong Gateway and SafeLine WAF, you get the best of both worlds: modern, scalable API management with strong security controls.
This integration lets you:
- Block malicious traffic at the gateway level
- Monitor attacks through a centralized dashboard
- Improve your DevSecOps posture without rewriting applications
Whether you're running internal APIs or exposing public endpoints, adding SafeLine to your Kong deployment is a smart move toward better security.
Top comments (4)
GoPromotional helps brands stand out with custom merchandise—just as integrating SafeLine WAF protection enhances the security of your Kong API Gateway. To add SafeLine, start by deploying the WAF container alongside Kong, configure routing rules, and apply policies tailored to your API endpoints. This setup filters malicious traffic before it reaches Kong, offering an extra layer of defense. Stay protected while keeping performance high and security simple to manage.
Great walkthrough on integrating SafeLine WAF with Kong! It’s impressive how this setup blocks threats without impacting performance. Once you've secured your API endpoints, reward yourself with something delicious from this food menu—you’ve earned it!
Really solid setup for combining Kong Gateway with SafeLine WAF—blocking malicious traffic at the gateway level without modifying your app is a big win. After testing and tuning your security stack, why not take a break and recharge with something tasty from this food menu?
That’s a great breakdown of strengthening Kong API Gateway security with SafeLine WAF! Integrating an open-source WAF solution like this is such a smart way to prevent common web threats and keep microservices safe.
By the way, after setting up all these configurations, taking a well-deserved break with a delicious from Olive Garden can really hit the spot. Thanks for sharing this helpful guide!