A minimal web application firewall plug used by Tiny Robots apps. It halts vulnerability-scanner requests with a plain 404 Not Found before they reach the Phoenix router, so probes like /.env and /wp-login.php never hit session/parser plugs, never raise Phoenix.Router.NoRouteError, and never create error-reporting noise.
What it blocks
- Path segments that are not valid UTF-8 or contain a null byte
- Dot segments such as
/.env,/.git/config,/foo/.env—/.well-known/*is allowed - Segments with extensions an Elixir app never serves:
.php,.php5,.php7,.phtml,.asp,.aspx,.jsp,.jspx,.cgi - Paths whose first segment is
wp-*,wordpress,phpmyadmin, orcgi-bin(case-insensitive)
It is deliberately stateless: no IP tracking, no rate limiting, no logging. Blocked requests are simply answered early and cheaply.
Installation
def deps do
[
{:rbtz_waf, "~> 0.1"}
]
endUsage
Put the plug early in your endpoint, before Plug.Parsers and Plug.Session:
defmodule MyAppWeb.Endpoint do
use Phoenix.Endpoint, otp_app: :my_app
# ...
plug Plug.RequestId
plug Rbtz.WAF
# ...
plug MyAppWeb.Router
endOptions
:allow_prefixes— first path segments exempt from the scanner rules, for routes that legitimately serve arbitrary external paths (the encoding rules still apply):
plug Rbtz.WAF, allow_prefixes: ["proxy"]License
MIT — see LICENSE.