Web Application Firewall

Stop every malicious request at the edge

veilx WAF identifies and blocks CC attacks, injection, malicious bots and anomalous traffic in real time at edge nodes — protection with no changes to your application.

Contact sales

How it works

How requests are handled in real time

STEP 01

Connect your site

Enable WAF for your site in the console — no changes to your application code.

STEP 02

Match against rules

Every request is evaluated at the edge in real time by the rule engine against 29 classes of match conditions.

STEP 03

Act in real time

A matched rule triggers a block, a human-verification challenge or a pass — completed in milliseconds.

Key features

Protection, down to the request level

Rule engine

Freely combine 29 classes of match conditions to describe exactly the requests you want to block.

CC protection

Identify CC attacks by rate and behavior, then challenge or block them automatically.

Injection and XSS protection

Detect the signatures of SQL injection, XSS and other common web attacks.

Malicious bot detection

Tell legitimate crawlers apart from malicious scrapers and scanners.

Custom rules

Tailor blocking rules to your business, roll them out gradually and adjust at any time.

Block logs

Every block is recorded and searchable, with the matched rule made clear.

Specifications

At a glance

Match conditions 29 classes: IP, geography, URL, parameters, headers, UA, rate and more

Actions Block, human verification, pass, log only

Protection types CC attacks, SQL injection, XSS, malicious bots, vulnerability scans

Rule rollout Configuration pushed instantly to all edge nodes

Human verification Behavioral CAPTCHA — low-friction human/bot separation

Block logs Full records, searchable by rule and time

Use cases

Which workloads need it most

Defend against credential stuffing, brute force and spam submissions.

APIs and data endpoints

Prevent API abuse and high-frequency scraping.

Anti-scraping for content sites

Block malicious bots and protect original content.

FAQ

About WAF protection

Will it wrongly block legitimate users?

WAF matches requests precisely with rules, and for suspicious ones it uses a low-friction human-verification challenge instead of an outright block — so legitimate users barely notice it.

Do I need to change code to onboard?

No. Once your site is connected to veilx, just enable WAF in the console — no changes to your application code or servers.

Does it protect against CC and DDoS?

WAF has dedicated protection for application-layer CC attacks; network-layer DDoS is absorbed by the scrubbing capacity of the edge nodes.

Can I define my own rules?

Yes. Beyond the built-in rules, you can build custom rules from 29 classes of conditions and roll them out gradually.

Keep threats outside the edge.

Create an account and turn on protection for your first site.