Coraza WAF (OWASP CRS)
The embedded ModSecurity-style WAF engine — OWASP Core Rule Set, paranoia levels, anomaly thresholds, and custom SecLang directives.
JWT
Static-key bearer JWT validation with a hard algorithm allow-list, mandatory expiry, and required-claims enforcement.
JWKS
Bearer JWT validation against a JWK Set (local file or remote URL) with key rotation, background refresh, and no request-path network I/O.
API Key
SHA-256-hashed API keys from a header or query parameter, with per-key scopes and scope-to-path bindings.
HMAC Signing
Native HMAC request signing with a timestamp window, nonce replay protection, key-id rotation, and optional body-digest binding.
HTTP Message Signatures
RFC 9421 HTTP Message Signature verification (hmac-sha256) with covered-component control, content-digest body binding, and freshness enforcement.
mTLS Identity (XFCC)
Authenticate by the mTLS client-certificate identity Envoy forwards in x-forwarded-client-cert — SPIFFE/DNS SANs, subjects, or fingerprints.
IP Reputation
Source-IP blocking by CIDR allow/deny lists, disk threat-intelligence feeds, and GeoIP country/ASN rules.
Rate Limiting
The sharded token-bucket rate limiter — per-IP, per-host, or per-header keys, burst control, and 429 responses with Retry-After.
Bot Detection
The layered bot/scanner scorer — verified-crawler checks, User-Agent rules, JA3/JA4 TLS fingerprints, and header-anomaly heuristics.
GraphQL Guard
Query-shape DoS protection for GraphQL — depth, alias, field, and batch limits, introspection blocking, and always-on complexity backstops.
OpenAPI Validation
Positive security — validate every request against an OpenAPI 3.x contract and block anything the spec doesn't declare.