Behind, not in front
Your site keeps receiving traffic as usual. CoreWAF runs at the start of every request and decides locally. Zero third parties in the path.
Inline WAF · No proxy · No DNS
WAF without proxy. You're in charge.
The WAF goes behind your site, not in front.
Most WAFs are edge proxies: they break legitimate traffic, add latency and tie you to their uptime. CoreWAF loads from inside your own site — no DNS change, no TLS termination — and you decide what to block.
No credit card · Setup in minutes · Cancel anytime
What it does
Surgical blocking, not a sledgehammer.
We block what has no excuse: known bots, IPs with history, clear attack patterns. The rest is up to you — your rules, your thresholds, zero vendor false positives out of the box.
Synced rules
Edit in the panel, hit "Deploy" and rules reach your site signed. No restarts, no DNS propagation — seconds.
Real metrics
Hits per hour, top IPs, top User-Agents and blocks. What your site actually saw, not what a CDN claims to have filtered.
Only what you set
IP, CIDR, User-Agent and URL with precise operators (contains, starts, ends, exact). Whitelist takes priority. Zero vendor false positives.
The model
Behind, not in front.
What changes when the WAF stops being a proxy and runs inside your own application.
Traditional proxy WAF
Intercepts traffic before it reaches your server
Other WAF and CDN providers
- Requires delegating DNS and TLS termination
- WAF outage means full service outage
- Generic rules with a high false-positive rate
- Logs reflect the CDN, not real traffic
- SSL certificate management under third-party control
- Incompatible or problematic when combined with other CDNs
CoreWAF inline
Runs inside your application, no intermediaries
Your server remains the sole entry point
- No DNS changes, no infrastructure dependencies
- Fail-open by design: if it fails, traffic passes through
- Your own rules, no imposed global policies
- Metrics based on actual traffic received by your application
- Compatible with any CDN: Cloudflare, Fastly, BunnyCDN…
3 steps
From zero to protected in minutes.
No DNS migration, no new networks, no support tickets with your hosting provider.
1
Create your account
Sign up and add the domain you want to protect. The free trial starts automatically.
2
Connect your site
One single line in your site and CoreWAF goes live. No DNS, no TLS termination on the way.
3
Monitor and refine your rules
Hit "Deploy" and rules apply in seconds. Watch hits, blocks, IPs and agents in real time.
Pricing
You pay for volume, not features.
Every plan includes unlimited rules, full metrics and support. Pick by hits/month you expect.
FAQ
Frequently asked
Does it work if I already have Cloudflare or Sucuri in front?
Yes. CoreWAF lives inside your site, not at the edge, so they coexist without conflict. In fact, CoreWAF gives you real data of what your site received after the CDN filter — something the Cloudflare panel doesn't show.
How long does setup take?
Minutes. Sign up, add the domain, paste a single line in your site. No DNS, no migrations, no restarts.
Are there false positives?
Only blocks what you define. There are no aggressive global rules like a stock OWASP CRS. If a legitimate IP or User-Agent gets caught, you whitelist it in one click and it overrides any blacklist.
What if I exceed my plan's hits?
We warn you before the cap and you can upgrade in one click. We never cut service without giving you room.
What happens if CoreWAF stops responding?
Fail-open by design: if the WAF logic fails, your site keeps serving traffic as if it weren't there. Blocking real visitors is worse than not blocking attacks for a minute.