Rbtz.WAF (rbtz_waf v0.1.0)

Copy Markdown View Source

A minimal web application firewall plug.

Halts requests with a plain 404 Not Found before they reach the router when the path looks like a vulnerability-scanner probe rather than anything an Elixir application would serve:

  • segments that are not valid UTF-8 or contain a null byte
  • dot segments such as /.env or /.git/config (/.well-known/* is allowed)
  • segments with extensions like .php, .asp, or .cgi
  • paths starting with wp-*, wordpress, phpmyadmin, or cgi-bin

Blocked requests are halted before the router raises Phoenix.Router.NoRouteError, so they never reach session, parser, or error-reporting plugs.

Usage

Put the plug early in your endpoint, before Plug.Parsers and Plug.Session:

plug Rbtz.WAF

Options

  • :allow_prefixes - first path segments exempt from the scanner rules, e.g. ["proxy"] to let /proxy/* paths through untouched. The encoding rules still apply.