A minimal web application firewall plug.
Halts requests with a plain 404 Not Found before they reach the router when
the path looks like a vulnerability-scanner probe rather than anything an
Elixir application would serve:
- segments that are not valid UTF-8 or contain a null byte
- dot segments such as
/.envor/.git/config(/.well-known/*is allowed) - segments with extensions like
.php,.asp, or.cgi - paths starting with
wp-*,wordpress,phpmyadmin, orcgi-bin
Blocked requests are halted before the router raises
Phoenix.Router.NoRouteError, so they never reach session, parser, or
error-reporting plugs.
Usage
Put the plug early in your endpoint, before Plug.Parsers and Plug.Session:
plug Rbtz.WAFOptions
:allow_prefixes- first path segments exempt from the scanner rules, e.g.["proxy"]to let/proxy/*paths through untouched. The encoding rules still apply.