16,400+ GitHub Stars: This Free WAF Is on Fire

SharonSharon
3 min read

Table of contents

Image description

Tired of maintaining endless regex rules in traditional WAFs? Meet SafeLine, a free and open source Web Application Firewall with a semantic detection engine, dynamic protection, and over 16.4K GitHub stars. It’s built for real-world attacks—and it's free and open-source.

Image description

🔄 Dynamic Protection: Scramble Your Frontend, Every Time

SafeLine can dynamically obfuscate HTML and JS on each page load, making your source code unreadable to crawlers and bots.

  • /admin/login becomes a random encrypted path like /a8c9f1, and changes every refresh

  • Real users see no difference. Crawlers see... nothing.

🧪 BurpSuite Test Result:
Crawler blocked from indexing. Browser loads normally. Extra latency: ~1ms.

Image description

💡 You can apply this selectively:

  • Encrypt only admin paths

  • Whitelist static files (CSS/JS) to avoid layout issues

🤖 Bot Blocking That Actually Works

SafeLine doesn't rely on User-Agent headers. It verifies browser behavior:

  • JS execution

  • Fingerprinting

  • Mouse movement

🚫 Bots fail.
Humans pass once, then proceed freely.

🧪 Tested: A Python script was blocked after 3 requests. The IP was locked for 30 mins. No CAPTCHA required.

You can tweak thresholds and customize the lock screen.

Image description

🧠 Semantic Detection: Not Just Rule Matching

SafeLine doesn’t use static signatures. It understands what the payload is trying to do.

  • Detects SQL injection like 1 AND 1=1, even if obfuscated

  • Blocks XSS via DOM-aware context, not pattern matching

🧪 Benchmark:

  • 33,669 requests tested

  • 575 malicious payloads

  • ✅ Detection rate: 71.65%

  • ❌ False positives: 0.07%

  • ⚡ Avg Latency: 1ms, >2000 TPS per core

Image description

🧱 Security for Admin Panel Access

  • RBAC: Give ops read-only, engineers full control

  • 2FA: TOTP-based, works with Microsoft Authenticator

  • CLI fallback: docker exec safeline-mgt resetadmin if you lose 2FA

🔬 Real-World Lab: WebGoat + SafeLine

docker run -d -p 8080:8080 registry.cn-shanghai.aliyuncs.com/kubesec/webgoat:v2023.8

Then reverse-proxy it via SafeLine under webgoat.test.

🧪 Test Attacks

  • SQLi: ?id=1 UNION SELECT * FROM users → Blocked

  • XSS: <img src=x onerror=alert(1)> → Blocked

Image description

⚠️ Troubleshooting Tips

IssueFix
502 Bad GatewayCheck upstream config and container networking
Broken UIWhitelist static JS/CSS from encryption
Wrong IP in logsSet CDN IPs as trusted to log real attacker IPs

🛠 Hardware: 2C/4G recommended for <1ms latency.

Image description

🚀 Final Thoughts

SafeLine isn't just another regex-based WAF. It's:

  • Free & open source

  • No signature maintenance

  • Semantic detection that works

  • Handles 2000+ TPS/core

If you're running a self-hosted app or CTF challenge, this is the WAF to try.

0
Subscribe to my newsletter

Read articles from Sharon directly inside your inbox. Subscribe to the newsletter, and don't miss out.

GitHubwebdevwebsecuritywafSafeLine

Written by

Sharon
Sharon