Anomaly Scoring
Combine weak signals from multiple engines into one collaborative per-request score and block only when the total crosses a policy threshold.
Combine weak signals from multiple engines into one collaborative per-request score and block only when the total crosses a policy threshold.
SHA-256-hashed API keys from a header or query parameter, with per-key scopes and scope-to-path bindings.
Enabling request/response body buffering, size and time limits, and the always-on structural protections — truncation guard, content decoding, and the process-wide body budget.
The layered bot/scanner scorer — verified-crawler checks, User-Agent rules, JA3/JA4 TLS fingerprints, and header-anomaly heuristics.
The built-in header and body checks, skip_checks exemptions, custom pipeline stage ordering, audit sampling, and per-policy log level.
The embedded ModSecurity-style WAF engine — OWASP Core Rule Set, paranoia levels, anomaly thresholds, and custom SecLang directives.
Block hard secrets and redact PII in request or response bodies — kinds, block vs redact precedence, and how in-place redaction works mechanically.
Write, deploy, and verify your first Shield policy in about 10 minutes — starting safely in detect mode.
Query-shape DoS protection for GraphQL — depth, alias, field, and batch limits, introspection blocking, and always-on complexity backstops.
Native HMAC request signing with a timestamp window, nonce replay protection, key-id rotation, and optional body-digest binding.
The request pipeline, header vs body phases, the five engine rules, always-on body protections, the source-IP trust model, and atomic hot reload.
RFC 9421 HTTP Message Signature verification (hmac-sha256) with covered-component control, content-digest body binding, and freshness enforcement.
Source-IP blocking by CIDR allow/deny lists, disk threat-intelligence feeds, and GeoIP country/ASN rules.
Bearer JWT validation against a JWK Set (local file or remote URL) with key rotation, background refresh, and no request-path network I/O.
Static-key bearer JWT validation with a hard algorithm allow-list, mandatory expiry, and required-claims enforcement.
What block, detect, shadow, and off actually do to a request; fail_open vs fail_close; and the recommended detect → shadow → block rollout.
Authenticate by the mTLS client-certificate identity Envoy forwards in x-forwarded-client-cert — SPIFFE/DNS SANs, subjects, or fingerprints.
Positive security — validate every request against an OpenAPI 3.x contract and block anything the spec doesn't declare.
The sharded token-bucket rate limiter — per-IP, per-host, or per-header keys, burst control, and 429 responses with Retry-After.
Elchi Shield is a local Envoy ext_proc API-security and WAF sidecar — 12 security engines enforced entirely on the edge host, configured by files, hot-reloaded atomically.
Turn a discovered API inventory into a draft Shield SecurityPolicy — the bridge from API Discovery to API Security.
The Elchi Shield policy file format — envelope, domains, routes, match predicates, inheritance, and multi-file merge semantics.