Shield: API Security Overview
Elchi Shield is a local Envoy ext_proc API-security and WAF sidecar — 12 security engines enforced entirely on the edge host, configured by files, hot-reloaded atomically.
How Shield Works
The request pipeline, header vs body phases, the five engine rules, always-on body protections, the source-IP trust model, and atomic hot reload.
Get Started with Shield
Write, deploy, and verify your first Shield policy in about 10 minutes — starting safely in detect mode.
Policies
5 items
Security Engines
12 items
Anomaly Scoring
Combine weak signals from multiple engines into one collaborative per-request score and block only when the total crosses a policy threshold.
Using the UI
3 items
Deploying Policies to Edges
How a Shield policy travels from the UI to every edge — the merged bundle, the SHIELD_DEPLOY job, elchi-client's atomic file sync, and reload confirmation.
Wiring Shield into Envoy
The ext_proc cluster and filter configuration that connects Envoy to the Shield sidecar, plus the Envoy settings Shield's engines depend on.
Metrics, Audit & Health
Shield's full Prometheus metric set, the ClickHouse audit sink and its schema, metric delivery (scrape or OTLP push), and the loopback health endpoints.
CLI & Configuration Reference
Every elchi-shield command-line flag with its default and purpose, the ELCHI_SHIELD_* environment variables, the validate subcommand, and on-disk paths.