86 lines
2.5 KiB
Markdown
86 lines
2.5 KiB
Markdown
# Baffle WAF
|
|
|
|
## Product Positioning
|
|
Tagline options:
|
|
|
|
* "Baffle bots. Calm traffic." (playing on both meanings: confuse + quiet)
|
|
* "Confuse bots. Calm infrastructure."
|
|
* "Bewilder bots, silence the chaos"
|
|
|
|
## Target market:
|
|
|
|
* Solo devs/bootstrapped startups (can't afford $249/mo Wafris/Cloudflare)
|
|
* Privacy-conscious/regulated orgs (data sovereignty requirements)
|
|
* Self-hosters (infrastructure control enthusiasts)
|
|
Cost-sensitive scale-ups (outgrowing free tiers)
|
|
|
|
## Business Model (Sidekiq-style)
|
|
### Free (fully functional):
|
|
|
|
* Ruby/Rack edge agent (2-5ms response time)
|
|
* Local SQLite rules
|
|
* IP blocking, rate limiting, geoblocking
|
|
* Manual rule management
|
|
* Community support
|
|
|
|
### Pro ($99-149/mo):
|
|
|
|
* Go edge agent (performance upgrade)
|
|
* SSO / multi-team
|
|
* Centralized hub with traffic analytics
|
|
* Automated rule generation
|
|
* Adaptive sampling (manual 0-100% toggle for hub load management)
|
|
* IP reputation feeds
|
|
* Priority support
|
|
|
|
## Key Technical Decisions
|
|
|
|
Traffic categories:
|
|
|
|
* Blocked - Matched deny rule
|
|
* Allowed - Matched allow rule (fast-path for whitelisted IPs/APIs)
|
|
* Unmatched - No rules, passed through
|
|
|
|
## OWASP approach:
|
|
|
|
* Don't try to compete with ModSecurity's full CRS
|
|
* Focus on network-layer threats (bots, rate limiting, IP reputation)
|
|
* Map to OWASP Top 10 where applicable (A05, A07, partial A01/A03)
|
|
* Position as complementary to app-layer security
|
|
|
|
## Killer Feature: Performance Visibility
|
|
|
|
Always-on category timing:
|
|
|
|
Track latency by rule type (IP checks, rate limits, regex, etc.)
|
|
Show real-time impact in dashboard
|
|
Let users add rules and immediately see performance cost
|
|
"The only WAF that shows you exactly what your rules cost"
|
|
|
|
Why this matters:
|
|
|
|
No other WAF does this well
|
|
Solves "why is my site slow?" blame game
|
|
Empowers users to make informed tradeoffs
|
|
Natural deterrent against kitchen-sink rule sets
|
|
|
|
## Implementation:
|
|
|
|
Start with category-level timing (always on, minimal overhead)
|
|
Users can experiment: add rule → watch latency → remove if too expensive
|
|
Can add detailed per-rule profiling later if needed
|
|
|
|
## Terminology Settled
|
|
|
|
Rule pruning - removing inactive rules for performance
|
|
Violation/pattern match - when traffic triggers a rule
|
|
Adaptive sampling - hub telling edges to reduce telemetry load
|
|
|
|
## Architecture Clarity
|
|
Self-hosted only (no SaaS hosting from you):
|
|
|
|
Edge agents do forward auth with local SQLite
|
|
Push telemetry to hub every 10 seconds
|
|
Hub analyzes and pushes rules back
|
|
Max 20-second gap between violation and rule deployment
|