Anomaly Scoring
Combine weak signals from multiple engines into one collaborative per-request score and block only when the total crosses a policy threshold.
Combine weak signals from multiple engines into one collaborative per-request score and block only when the total crosses a policy threshold.
Author a WAF config in the two-pane editor — directive sets, the lint badge, CRS setup and demo includes, starter presets, the template builder, per-authority routing, metric labels, and the live .conf preview.
Browse the bundled OWASP Core Rule Set — filter by version, severity, phase, paranoia level, and tags; inspect rule detail; add rules or whole files in bulk.
Write, deploy, and verify your first Shield policy in about 10 minutes — starting safely in detect mode.
The request pipeline, header vs body phases, the five engine rules, always-on body protections, the source-IP trust model, and atomic hot reload.
Elchi's security posture in one place — identities and secrets, per-wire trust, RBAC and audit as controls, hardening, and what is encrypted or at rest.
Elchi Shield is a local Envoy ext_proc API-security and WAF sidecar — 12 security engines enforced entirely on the edge host, configured by files, hot-reloaded atomically.
Every WAF save is snapshotted — browse the History tab, diff any version against the current state, and restore a prior version in one click.
Elchi's standalone WAF — Coraza with the OWASP Core Rule Set, authored in the UI and delivered to Envoy as a WASM filter through the xDS snapshot.
The guided rule-building experience — write custom SecLang, exclude and tune CRS rules, set paranoia and anomaly thresholds, and stay within the WASM runtime's limits.
Self-service account management in Elchi — change your email and password, and enable or manage two-factor authentication for your own account.