Tired of maintaining endless regex rules in traditional WAFs? Meet SafeLine, a free and open source Web Application Firewall with a semantic detection engine, dynamic protection, and over 16.4K GitHub stars. It’s built for real-world attacks—and it's free and open-source.
🔄 Dynamic Protection: Scramble Your Frontend, Every Time
SafeLine can dynamically obfuscate HTML and JS on each page load, making your source code unreadable to crawlers and bots.
-
/admin/loginbecomes a random encrypted path like/a8c9f1, and changes every refresh - Real users see no difference. Crawlers see... nothing.
🧪 BurpSuite Test Result:
Crawler blocked from indexing. Browser loads normally. Extra latency: ~1ms.
💡 You can apply this selectively:
- Encrypt only admin paths
- Whitelist static files (CSS/JS) to avoid layout issues
🤖 Bot Blocking That Actually Works
SafeLine doesn't rely on User-Agent headers. It verifies browser behavior:
- JS execution
- Fingerprinting
- Mouse movement
🚫 Bots fail.
✅ Humans pass once, then proceed freely.
🧪 Tested: A Python script was blocked after 3 requests. The IP was locked for 30 mins. No CAPTCHA required.
You can tweak thresholds and customize the lock screen.
🧠 Semantic Detection: Not Just Rule Matching
SafeLine doesn’t use static signatures. It understands what the payload is trying to do.
- Detects SQL injection like
1 AND 1=1, even if obfuscated - Blocks XSS via DOM-aware context, not pattern matching
🧪 Benchmark:
- 33,669 requests tested
- 575 malicious payloads
- ✅ Detection rate: 71.65%
- ❌ False positives: 0.07%
- ⚡ Avg Latency: 1ms, >2000 TPS per core
🧱 Security for Admin Panel Access
- RBAC: Give ops read-only, engineers full control
- 2FA: TOTP-based, works with Microsoft Authenticator
-
CLI fallback:
docker exec safeline-mgt resetadminif you lose 2FA
🔬 Real-World Lab: WebGoat + SafeLine
docker run -d -p 8080:8080 registry.cn-shanghai.aliyuncs.com/kubesec/webgoat:v2023.8
Then reverse-proxy it via SafeLine under webgoat.test.
🧪 Test Attacks
- SQLi:
?id=1 UNION SELECT * FROM users→ Blocked - XSS:
<img src=x onerror=alert(1)>→ Blocked
⚠️ Troubleshooting Tips
| Issue | Fix |
|---|---|
| 502 Bad Gateway | Check upstream config and container networking |
| Broken UI | Whitelist static JS/CSS from encryption |
| Wrong IP in logs | Set CDN IPs as trusted to log real attacker IPs |
🛠 Hardware: 2C/4G recommended for <1ms latency.
🚀 Final Thoughts
SafeLine isn't just another regex-based WAF. It's:
- Free & open source
- No signature maintenance
- Semantic detection that works
- Handles 2000+ TPS/core
If you're running a self-hosted app or CTF challenge, this is the WAF to try.
Top comments (2)
Hey, nice post!
Thanks a lot!