84 lines
2.4 KiB
Markdown
84 lines
2.4 KiB
Markdown
# Baffle WAF
|
|
|
|
## Product Positioning
|
|
Tagline options:
|
|
|
|
"Baffle bots. Calm traffic." (playing on both meanings: confuse + quiet)
|
|
"Confuse bots. Calm infrastructure."
|
|
"Bewilder bots, silence the chaos"
|
|
|
|
## Target market:
|
|
|
|
Solo devs/bootstrapped startups (can't afford $249/mo Wafris/Cloudflare)
|
|
Privacy-conscious/regulated orgs (data sovereignty requirements)
|
|
Self-hosters (infrastructure control enthusiasts)
|
|
Cost-sensitive scale-ups (outgrowing free tiers)
|
|
|
|
## Business Model (Sidekiq-style)
|
|
Free (fully functional):
|
|
|
|
Ruby/Rack edge agent (2-5ms response time)
|
|
Local SQLite rules
|
|
IP blocking, rate limiting, geoblocking
|
|
Manual rule management
|
|
Community support
|
|
|
|
Pro ($99-149/mo):
|
|
|
|
Go edge agent (performance upgrade)
|
|
SSO / multi-team
|
|
Centralized hub with traffic analytics
|
|
Automated rule generation
|
|
Adaptive sampling (manual 0-100% toggle for hub load management)
|
|
IP reputation feeds
|
|
Priority support
|
|
|
|
## Key Technical Decisions
|
|
Traffic categories:
|
|
|
|
Blocked - Matched deny rule
|
|
Allowed - Matched allow rule (fast-path for whitelisted IPs/APIs)
|
|
Unmatched - No rules, passed through
|
|
|
|
## OWASP approach:
|
|
|
|
Don't try to compete with ModSecurity's full CRS
|
|
Focus on network-layer threats (bots, rate limiting, IP reputation)
|
|
Map to OWASP Top 10 where applicable (A05, A07, partial A01/A03)
|
|
Position as complementary to app-layer security
|
|
|
|
### Killer Feature: Performance Visibility
|
|
Always-on category timing:
|
|
|
|
Track latency by rule type (IP checks, rate limits, regex, etc.)
|
|
Show real-time impact in dashboard
|
|
Let users add rules and immediately see performance cost
|
|
"The only WAF that shows you exactly what your rules cost"
|
|
|
|
Why this matters:
|
|
|
|
No other WAF does this well
|
|
Solves "why is my site slow?" blame game
|
|
Empowers users to make informed tradeoffs
|
|
Natural deterrent against kitchen-sink rule sets
|
|
|
|
## Implementation:
|
|
|
|
Start with category-level timing (always on, minimal overhead)
|
|
Users can experiment: add rule → watch latency → remove if too expensive
|
|
Can add detailed per-rule profiling later if needed
|
|
|
|
## Terminology Settled
|
|
|
|
Rule pruning - removing inactive rules for performance
|
|
Violation/pattern match - when traffic triggers a rule
|
|
Adaptive sampling - hub telling edges to reduce telemetry load
|
|
|
|
## Architecture Clarity
|
|
Self-hosted only (no SaaS hosting from you):
|
|
|
|
Edge agents do forward auth with local SQLite
|
|
Push telemetry to hub every 10 seconds
|
|
Hub analyzes and pushes rules back
|
|
Max 20-second gap between violation and rule deployment
|