Skip to main content

22 docs tagged with "shield"

View all tags

Anomaly Scoring

Combine weak signals from multiple engines into one collaborative per-request score and block only when the total crosses a policy threshold.

API Key

SHA-256-hashed API keys from a header or query parameter, with per-key scopes and scope-to-path bindings.

Body Inspection & Limits

Enabling request/response body buffering, size and time limits, and the always-on structural protections — truncation guard, content decoding, and the process-wide body budget.

Bot Detection

The layered bot/scanner scorer — verified-crawler checks, User-Agent rules, JA3/JA4 TLS fingerprints, and header-anomaly heuristics.

Built-in Checks & Pipeline Order

The built-in header and body checks, skip_checks exemptions, custom pipeline stage ordering, audit sampling, and per-policy log level.

Coraza WAF (OWASP CRS)

The embedded ModSecurity-style WAF engine — OWASP Core Rule Set, paranoia levels, anomaly thresholds, and custom SecLang directives.

Data Loss Prevention (DLP)

Block hard secrets and redact PII in request or response bodies — kinds, block vs redact precedence, and how in-place redaction works mechanically.

Get Started with Shield

Write, deploy, and verify your first Shield policy in about 10 minutes — starting safely in detect mode.

GraphQL Guard

Query-shape DoS protection for GraphQL — depth, alias, field, and batch limits, introspection blocking, and always-on complexity backstops.

HMAC Signing

Native HMAC request signing with a timestamp window, nonce replay protection, key-id rotation, and optional body-digest binding.

How Shield Works

The request pipeline, header vs body phases, the five engine rules, always-on body protections, the source-IP trust model, and atomic hot reload.

HTTP Message Signatures

RFC 9421 HTTP Message Signature verification (hmac-sha256) with covered-component control, content-digest body binding, and freshness enforcement.

IP Reputation

Source-IP blocking by CIDR allow/deny lists, disk threat-intelligence feeds, and GeoIP country/ASN rules.

JWKS

Bearer JWT validation against a JWK Set (local file or remote URL) with key rotation, background refresh, and no request-path network I/O.

JWT

Static-key bearer JWT validation with a hard algorithm allow-list, mandatory expiry, and required-claims enforcement.

Modes & Fail Postures

What block, detect, shadow, and off actually do to a request; fail_open vs fail_close; and the recommended detect → shadow → block rollout.

mTLS Identity (XFCC)

Authenticate by the mTLS client-certificate identity Envoy forwards in x-forwarded-client-cert — SPIFFE/DNS SANs, subjects, or fingerprints.

OpenAPI Validation

Positive security — validate every request against an OpenAPI 3.x contract and block anything the spec doesn't declare.

Rate Limiting

The sharded token-bucket rate limiter — per-IP, per-host, or per-header keys, burst control, and 429 responses with Retry-After.

Shield: API Security Overview

Elchi Shield is a local Envoy ext_proc API-security and WAF sidecar — 12 security engines enforced entirely on the edge host, configured by files, hot-reloaded atomically.

Suggest a Shield Policy

Turn a discovered API inventory into a draft Shield SecurityPolicy — the bridge from API Discovery to API Security.

The SecurityPolicy Model

The Elchi Shield policy file format — envelope, domains, routes, match predicates, inheritance, and multi-file merge semantics.