Single‑container WAAP for APIs
Drop‑in reverse proxy that protects your API from abuse, spam, and common web attacks. Runs next to your app; decisions come from our SaaS. No app changes required.
- One image: NGINX + OWASP‑CRS with an embedded auth‑adapter.
- AI approach: lightweight models learn usage patterns to spot automation, spam, scraping, and fraud with low false‑positives.
- Privacy‑first: headers/metadata only — no payloads leave your network by default.
- Fast: typically ≤ 10 ms overhead (p95) added to requests.
- Simple: Docker/Helm in minutes; keep your origin as is.
How it fits
Client → WAAP (CRS) → embedded adapter → Hafeniq SaaS → allow/throttle/block → Origin
CRS blocks obvious exploits at the edge. The embedded adapter asks our SaaS for a decision using metadata only (no bodies). Allowed traffic is proxied to your origin.
Compatibility
Available now
NGINX (ModSecurity/OWASP‑CRS) as a single container.
NGINX (ModSecurity/OWASP‑CRS) as a single container.
On the roadmap
Envoy/Envoy Gateway, Apache httpd, Caddy, HAProxy, Traefik, Kong & Kubernetes Ingress — same SaaS decision API and privacy defaults.
Envoy/Envoy Gateway, Apache httpd, Caddy, HAProxy, Traefik, Kong & Kubernetes Ingress — same SaaS decision API and privacy defaults.
Privacy
Decisions are made from method, URL, and selected headers. Bodies stay in your environment. We support mTLS/HMAC to our SaaS and regional data residency.