Share
## https://sploitus.com/exploit?id=C9A33542-469F-5734-AF7B-8A6007A5DAD9
# FortressWAF β Web Application Firewall
[](https://opensource.org/licenses/Apache-2.0)
[](https://go.dev/)
[](https://owasp.org/www-project-top-ten/)
**FortressWAF** is a production-grade, enterprise-ready Web Application Firewall that protects web applications and APIs from OWASP Top 10 threats, zero-day attacks, DDoS, and bot abuse. Built in Go with a machine learning sidecar, it provides defense-in-depth with sub-millisecond latency.
## Features
| Category | Details |
|----------|---------|
| **OWASP Top 10** | Full coverage: SQLi, XSS, RCE, LFI, SSRF, XXE, broken auth, misconfiguration |
| **ML-Powered Detection** | Anomaly detection engine with ensemble models (Random Forest + XGBoost + Transformer) |
| **Layer 7 DDoS Protection** | Sliding window rate limiting, token bucket, per-route limits, burst control |
| **Bot Management** | 500+ signatures, JS challenges, CAPTCHA integration, fingerprinting |
| **API Security** | Schema validation, JWT introspection, GraphQL depth limiting, OWASP API Top 10 |
| **IP Reputation** | Real-time threat intel feeds, geo-blocking, TOR/VPN/proxy detection |
| **Real-time Dashboard** | Live metrics, attack visualization, top targets, latency heatmaps, WebSocket feed |
| **Virtual Patching** | Deploy WAF rules instantly without modifying application code |
| **Multi-Tenancy** | Isolated workspaces, custom rulesets, per-tenant analytics (Enterprise) |
| **Compliance Ready** | PCI DSS, GDPR, HIPAA, SOC 2, ISO 27001, FIPS 140-2 |
## Quick Start
```bash
# One-line install (Linux)
curl -sSL https://install.fortresswaf.io | bash
# Or clone and run with Docker Compose
git clone https://github.com/zulfff/FortressWAF.git
cd FortressWAF
docker compose -f deploy/docker-compose.yml up -d
# Verify
curl http://localhost:8080/api/v1/health
```
## Architecture
```
βββββββββββββββββββββββββββββββββββββββ
β Internet / Clients β
ββββββββββββββββ¬βββββββββββββββββββββββ
β
ββββββββββββββββΌβββββββββββββββββββββββ
β Global Load Balancer β
ββββββββββββββββ¬βββββββββββββββββββββββ
β
ββββββββββββββββββββββΌβββββββββββββββββββββ
β β β
βΌ βΌ βΌ
ββββββββββββββββββ ββββββββββββββββββ ββββββββββββββββββ
β FortressWAF β β FortressWAF β β FortressWAF β
β Node 1 β β Node 2 β β Node N β
β (Active) β β (Active) β β (Active) β
ββββββββββ¬βββββββββ ββββββββββ¬βββββββββ ββββββββββ¬βββββββββ
β β β
ββββββββββββββββββββββΌβββββββββββββββββββββ
β
ββββββββββββββββΌβββββββββββββββββββββββ
β Backend Services β
β (App Servers / APIs / CDN) β
βββββββββββββββββββββββββββββββββββββββ
```
**Inside each node:**
```
Request βββΊ TLS Term βββΊ HTTP Parse βββΊ Rate Limiter βββΊ IP Reputation
β
βββββββββββββββββββββββββββββββββββββββββββ
βΌ
Rule Engine Pipeline
ββββββββββββ¬βββββββββββ¬βββββββββββ¬βββββββββββ
β SQLi β XSS β RCE/LFI β API β
β Detector β Detector β Detector β Schema β
ββββββββββββ΄βββββββββββ΄βββββββββββ΄βββββββββββ
β
βββββββββββΌββββββββββ
β ML Inference β
β (optional sidecar) β
βββββββββββ¬ββββββββββ
β
βββββββββββΌββββββββββ
β Decision Engine β
β Allow/Block/Challengeβ
βββββββββββ¬ββββββββββ
β
βββββββββββΌββββββββββ
β Proxy Forwarder ββββΊ Origin
βββββββββββββββββββββ
```
## Performance
| Metric | Without ML | With ML |
|--------|-----------|---------|
| Throughput | 85,000 req/s | 45,000 req/s |
| P99 Latency | 3.8ms | 12ms |
| Memory | 150MB | 1.2GB |
## Documentation
Full documentation is available at [https://docs.fortresswaf.io](https://docs.fortresswaf.io).
| Document | Description |
|----------|-------------|
| [Getting Started](docs/getting-started.md) | Install and configure in 5 minutes |
| [Architecture](docs/architecture.md) | System architecture deep dive |
| [Rule Language](docs/rule-language.md) | YAML-based rule DSL reference |
| [API Reference](docs/api-reference.md) | Full REST API documentation |
| [Deployment](docs/deployment.md) | Docker, K8s, bare metal, cloud guides |
| [Compliance](docs/compliance.md) | PCI DSS, GDPR, HIPAA, SOC 2 |
| [Troubleshooting](docs/troubleshooting.md) | Common issues and solutions |
## Community vs Enterprise
| Feature | Community | Enterprise |
|---------|-----------|------------|
| Core WAF Engine | β
| β
|
| OWASP Top 10 Rules | β
| β
|
| Rate Limiting | β
| β
|
| Dashboard | β
| β
|
| REST API | β
| β
|
| 5,000+ Rule Corpus | β
| β
|
| IP Reputation | β
| β
|
| Bot Detection | β
| β
|
| ML Anomaly Detection | β | β
|
| Multi-Tenancy | β | β
|
| Compliance Modes (PCI/GDPR/HIPAA) | β | β
|
| FIPS 140-2 | β | β
|
| SLA Support (24/7) | β | β
|
| SSO/SAML | β | β
|
| Audit Logs | β | β
|
| Dedicated Support | β | β
|
| Custom Rules Priority | β | β
|
## Quick Reference
```bash
# CLI
fortressctl config validate # Validate configuration
fortressctl rules list # List all rules
fortressctl rules apply --profile # Apply rule profile
fortressctl rules test # Test a rule against a payload
fortressctl compliance report # Generate compliance report
# API
curl http://localhost:8080/api/v1/health # Health check
curl -H "Authorization: Bearer $TOKEN" /api/v1/metrics # Metrics
curl -H "Authorization: Bearer $TOKEN" /api/v1/events # Security events
curl -H "Authorization: Bearer $TOKEN" /api/v1/rules # List rules
curl -X POST -H "Authorization: Bearer $TOKEN" /api/v1/rules # Add rule
```
## Contributing
Contributions are welcome! Please read our guidelines and submit PRs to [github.com/zulfff/FortressWAF](https://github.com/zulfff/FortressWAF/pulls).
## Security
Please see [SECURITY.md](SECURITY.md) for our security policy and vulnerability reporting process.
## License
- **Community Edition**: Apache 2.0 - Free for production use
- **Enterprise Edition**: Commercial license with additional features
Copyright Β© 2024-2025 FortressWAF. Open-core security for the modern web.
---
Built to compete with Cloudflare. Priced for the mid-market.