Integration Flows

You can integrate the WAF in two main ways: real-time (check before serving) or deferred (log first, block later).

These are base examples of integration. You can mix both models, protect only certain parts of your application, or design the WAF integration to suit your needs.

Deferred

In deferred mode, you log every request (or a sample) to our log-request API. We store and process it in the background. Rules (country, ASN, IP, User-Agent) are applied asynchronously; blocked IPs are then available via the blocked-ips endpoint or via Autodownload.

1 Call blocked-ips or use the Autodownload webhook to fetch the blocked IP list.

→

2 Check the request against that list.

→

3 Send request to log-request with the visit result (if you do not send blocked, it will be analysed to feed the blocked-ips API).

Real-time (Pro and above)

In real-time mode, your application or edge (e.g. Nginx, Apache, a middleware) calls our check-request API with the client IP and optional path/User-Agent. We return 200 (allow) or 403 (block). You can use the optional http_code parameter to get a plain HTTP status and empty body, which is useful for Nginx/Apache or other systems that only need a status code.

1 Send request to check-request.

→

2 Act on the API result (if blocked, deny and do not continue).

→

3 Send request to log-request with the visit result.

Autodownload Block IPs file

Autodownload is a feature that delivers the list of blocked IPs to your environment automatically. In practice it works like a webhook: you configure a URL in your WAF dashboard (your server or a script). Our system periodically calls that URL with the current set of blocked IPs (e.g. as a file or in a format you choose). You must prepare this endpoint on your side to accept the payload and update your firewall, Nginx, or application blocklist. It is available in Pro and higher tiers.

If you have any questions or need help with integration, get in touch.