WafWay is a self-hosted Web Application Firewall that protects against SQL injection, XSS, OWASP Top 10 threats, and L7 DDoS attacks with interactive challenge-response verification. Deploy in minutes, not weeks.
Independently tested against 704+ attack payloads including SQLMap, Burp Suite, OWASP ZAP variants, and cutting-edge evasion techniques. Every single attack blocked.
Comprehensive security testing with real-world attack payloads from popular penetration testing tools and cutting-edge evasion techniques.
Union, Boolean, Time-based, Stacked queries, SQLMap payloads
Reflected, Stored, DOM-based, Polyglots, Encoding bypasses
External entities, Parameter entities, Billion laughs, OOB
Shell commands, Reverse shells, Bypass techniques
Directory traversal, Null bytes, Encoding evasions
PHP wrappers, Log poisoning, File inclusion
Cloud metadata, Internal networks, Protocol smuggling
Tested with payloads from:
26 advanced evasion techniques tested. 100% blocked.
Everything you need to secure your web applications, from basic threat detection to advanced compliance reporting.
OWASP CRS-inspired detection with 45+ patterns covering union, boolean, time-based, and stacked query attacks.
Comprehensive cross-site scripting detection including reflected, stored, and DOM-based attacks with encoding bypass detection.
Industry-standard bcrypt password hashing with cryptographically secure token generation using crypto/rand.
NewSQLite-backed storage for rules, attack logs, and traffic analytics with automatic aggregation and data retention.
NewCreate, update, and delete custom WAF rules with database persistence. Define patterns, actions, and priorities.
NewTime-series traffic data, top paths analysis, and attack logging. Export data via REST API for external dashboards.
NewBlock or allow traffic by country, detect VPNs, Tor exit nodes, and datacenter IPs with MaxMind GeoIP integration.
Identify and block malicious bots while allowing legitimate crawlers. Includes DNS verification for search engines.
Three-tier rate limiting: allow, challenge, or block. Configurable soft threshold triggers human verification before hard blocking.
Interactive "Verify you are human" click-to-verify challenge with SHA-256 proof-of-work. Stops automated attacks while letting real users through in seconds.
NewShare rate limits, challenge passes, IP bans, and session state across multiple WAF instances via Redis. ElastiCache compatible.
NewEnterprise-scale persistent storage with PostgreSQL and connection pooling. RDS compatible. SQLite retained as default for smaller deployments.
NewAutomatic HSTS, Content-Security-Policy (CSP), and CORS whitelist configuration. Full compliance with security best practices.
NewHTTP Strict Transport Security with configurable max-age, includeSubDomains, and preload directives for HTTPS enforcement.
NewComprehensive CSP configuration with 10+ directives including script-src, style-src, frame-ancestors, and report-only mode.
NewInspects response bodies for credit card numbers (Luhn-validated), SSN, API keys, and stack traces. Masks or blocks data leaks in real-time.
NewDetects CL.TE, TE.CL, and TE.TE attack variants. Rejects ambiguous Content-Length and Transfer-Encoding conflicts at the protocol level.
NewVerifies claimed good bots (Googlebot, Bingbot, Yandex) via reverse DNS + forward DNS confirmation. Blocks spoofed bot user-agents.
NewDeploy CVE-specific regex rules via admin UI without code changes. Hot-reloaded within 5 seconds. Block zero-day exploits before vendor patches ship.
NewTransparent WebSocket passthrough with per-IP connection rate limiting and configurable max connection duration. No impact on real-time apps.
NewAdmin UI to manage IP whitelist and blacklist at runtime. Add, remove, and monitor IPs with instant enforcement — no restarts needed.
NewConfigurable path whitelist and blacklist with glob pattern matching. Block access to sensitive paths like /.env, /.git, /wp-admin, and more.
NewWhen suspicious traffic is detected, WafWay presents an interactive challenge page. A SHA-256 proof-of-work runs silently in the browser, then the user clicks a checkbox to confirm they're human. Real users pass in seconds. Bots and automated scripts cannot.
WafWay sits between the internet and your application, inspecting every request before it reaches your servers.
Single binary, no dependencies. Works on any Linux server.
Point to your backend application and customize protection levels.
Run as a systemd service and start blocking threats instantly.
Single binary. Zero dependencies. Deploy on any cloud, any VM, any container — your infrastructure, your data.
EC2, ECS, EKS
GCP, Azure, DigitalOcean, Hetzner, Bare Metal
Containers, Helm, K8s Ingress
Most common. WafWay sits between your load balancer and application servers.
WafWay runs on the same VM as your app. Simplest setup for single-server deployments.
Multiple WafWay instances sharing state via Redis + PostgreSQL for zero-downtime.
~30MB compiled Go binary. No Java, no Node.js, no runtime. Just copy and run.
Zero data sent to third-party clouds. Complete data sovereignty for compliance.
One WafWay instance protects 50+ domains with host-based backend routing.
Config changes, virtual patches, and route updates applied without restart.
Built for modern security challenges with uncompromising protection
Tested against 704+ attack payloads with zero bypasses. Every SQL injection, XSS, and advanced evasion technique blocked.
Lightning-fast request processing that your users won't even notice. Built with Go for maximum performance.
Complete data sovereignty. No third-party access. Your traffic never leaves your infrastructure.
No dependencies, no containers required. Just download and run. Deploy in under 5 minutes.
Full OWASP Top 10 protection across 7 attack categories including cutting-edge evasion techniques.
Self-hosted on your infrastructure. No per-request fees, no bandwidth charges, no data sent to third parties.
ConceptGood Consultants is an AI Product Development and Consulting firm based in Pune, India. We specialize in building intelligent solutions that transform how businesses operate.
Our portfolio includes ConceptGood (AI innovation platform), RaysHR (AI-powered HRMS), ArchitectGood (AI architecture platform), Crew4J (Java AI agent framework), and WafWay (Enterprise WAF). Each product represents our commitment to practical AI innovation.
Beyond products, we offer AI consulting services to help enterprises navigate their AI transformation journey — from strategy to implementation.
We leverage cutting-edge AI to solve complex business challenges.
Your success is our success. We go above and beyond for our clients.
We strive for excellence in every product and service we deliver.
Enterprise-grade quality in everything we build.
Join thousands of teams using WafWay to block web attacks.