Everything that runs on every request.
Thirty-plus security modules execute inline at the edge — WAF, bots, DDoS, API Shield and India DLP — all driven by one cached policy lookup. Here's each layer, in detail.
A WAF that understands the request, not just the regex.
Every request is normalized — double URL-decoded, comment-stripped, case-folded — before a single rule runs, so encoding tricks that slip past legacy filters get caught here.
OWASP Top 10 coverage
SQLi, XSS, RCE, LFI, path traversal and SSRF detection with curated, low-false-positive signatures.
Evasion-proof normalizer
Defeats double-encoding, inline /* */ comments and whitespace padding before inspection.
Per-tenant sensitivity
Low / Medium / High modes and per-category toggles (SQLi, XSS) controlled live from your dashboard.
Request & response body scan
Inspects POST bodies and outbound payloads, not only the URL and query string.
Score every visitor 0–100 and choose how to respond.
SecKav fingerprints each request on headers, TLS hints, velocity and behavior, then applies the action you configure for verified, suspicious and definite bots.
Behavioral scoring engine
A live 0–100 score blends fingerprint, request cadence and known-bot heuristics.
Four response modes
Block outright, issue an invisible JS challenge, tarpit, or serve scrapers convincing fake data.
Verified bot allow-list
Googlebot, Bingbot and other good crawlers pass cleanly while bad bots are stopped.
Credential-stuffing defense
Login and signup endpoints get stricter limits and account-takeover detection automatically.
Absorb application-layer floods without touching your origin.
An O(1) penalty box and adaptive per-endpoint rate limiting live in shared edge memory, so volumetric spikes are dropped in microseconds — long before they reach your servers.
O(1) penalty box
Banned IPs are rejected with a single shared-dict lookup — no database round-trip.
Adaptive rate limiting
Per-endpoint request budgets with burst control; login paths get the tightest limits.
One-click Under-Attack Mode
Flip an emergency switch to challenge every visitor during an active incident.
Live attack dashboard
Top attacking IPs, targeted endpoints and RPS, updated in real time.
Treat your API as a first-class attack surface.
JWTs are verified cryptographically at the edge, request shapes are validated against a schema, and object-level authorization gaps are closed before they reach your code.
Edge JWT validation
HMAC signatures verified at the proxy — the classic “alg: none” bypass is rejected outright.
BOLA / IDOR protection
Object-level authorization checks stop users from enumerating other tenants’ records.
Schema enforcement
Strict JSON validation and content-type / body-size limits reject malformed requests.
Shadow API discovery
Undocumented endpoints are surfaced from live traffic so nothing ships unprotected.
The compliance layer global WAFs simply don’t have.
SecKav inspects outbound HTML and JSON and masks Indian PII in real time. Each field is an independent toggle, so you redact exactly what your DPDP obligations require — and nothing leaks from your edge.
Aadhaar & PAN masking
Aadhaar becomes XXXX-XXXX-9012 and PAN becomes XXXXX1234F, in HTML and API responses alike.
Cards, email & phone
Credit-card numbers, email addresses and phone numbers masked or obfuscated on the way out.
Per-field control
Turn each PII type on or off independently to match your data-handling policy.
Always-on secret redaction
Provider API keys (e.g. payment-gateway secrets) are stripped as a hard security invariant.
Patched at the edge before you can patch your code.
SecKav polls the NVD CVE feed, asks AI to draft a precise Lua mitigation for each new vulnerability, and stages it for deployment to the edge — closing the window between disclosure and exploit.
Continuous CVE monitoring
The National Vulnerability Database feed is polled on an hourly schedule.
AI-generated mitigations
Each CVE description is turned into a targeted edge rule, ready for review and rollout.
Minutes, not maintenance windows
Mitigations deploy to the proxy without a code change or redeploy on your side.
Threat explainability
Any blocked payload can be explained in plain English to speed up triage.
The complete module shelf.
Beyond the headline pillars, dozens of specialized modules run in the same inline pipeline — each toggled per tenant.
Geo Blocking
Allow / deny by country across the full ISO 3166 list.
IP Firewall
Manual IP blocklists and trusted allow-lists.
Custom Rules
Field / operator / value rules with block, tarpit, challenge or skip.
Preset Rule Library
One-click rules for common attack patterns and scanners.
Zone Lockdown
Restrict sensitive paths to specific IPs or networks.
GraphQL Shield
Block introspection and cap query depth & aliasing.
WebSocket Shield
Inspect and filter WebSocket upgrade frames.
JWT Validator
Cryptographic token verification at the edge.
ML Anomaly Scoring
Baseline traffic and flag statistical outliers.
Threat Intel Feeds
Live IP-reputation lists refreshed continuously.
Malware Scanner
ClamAV-backed scanning of uploaded files.
Tracker Scanner
Crawl your site to surface third-party trackers.
Credential Check
Detect stuffing and breached-password reuse on auth.
Sequence Rules
Catch multi-step abuse across a request sequence.
Immutable Audit Log
Every blocked request recorded as metadata only.
CSP Injector
Inject and enforce Content-Security-Policy headers.
One ordered pass, edge to origin.
Each request flows through the chain below. The first module to reach a verdict wins — and most attacks never make it halfway.
Turn it all on in one dashboard.
Every module here is a toggle away once your DNS points at SecKav. Start free and tighten as you grow.