Back to Blog
Security 5 min read

How Backport's WAF Blocks Malicious Requests

Backport Team
March 22, 2026
Security shield

Backport includes a Web Application Firewall (WAF) that inspects every request before it reaches your backend. Here's how it works, what it catches, and how to use it.

How It Works

The WAF uses 17 pre-compiled regex patterns that scan request bodies, paths, and query parameters. When a request matches a known attack pattern, the gateway immediately returns HTTP 403 (Forbidden) and your backend is never touched. The check adds minimal latency — under 1ms per request on average.

By default, WAF is OFF. You can enable it from Dashboard → Settings → Toggle WAF to ON. This gives you control — you can test your traffic first, then enable WAF when ready.

Attack Patterns Detected

The WAF covers 6 categories of web attacks. Here's every pattern we check for:

CategoryPatternsWhat It Catches
SQL Injection5 patternsUNION SELECT, DROP TABLE, OR 1=1, xp_cmdshell, sp_executesql
XSS4 patterns<script> tags, onerror handlers, javascript: URIs, <iframe>/<embed>
Path Traversal2 patterns../ directory escapes, /etc/passwd, /proc/self access
Command Injection3 patternsShell metacharacters, subshell execution, backtick injection
LDAP Injection1 patternLDAP filter manipulation syntax
XML/XXE1 pattern<!DOCTYPE SYSTEM and <!ENTITY declarations

Testing It Yourself

We tested the WAF against common attack payloads. Every request below was sent through the proxy with WAF enabled, and all were blocked with HTTP 403:

SQL Injection:1 OR 1=1 UNION SELECT * FROM users--403 Blocked
XSS:<script>alert(1)</script>403 Blocked
Path Traversal:../../../etc/passwd403 Blocked
Command Injection:; cat /etc/passwd403 Blocked

How to Enable

WAF is toggled from your dashboard settings. Here's how to enable it:

  1. Sign up and log in to your dashboard
  2. Go to Dashboard → Settings
  3. Toggle "WAF Enabled" to ON
  4. Save settings

Once enabled, every request through your proxy will be checked against all 17 patterns. Blocked requests return HTTP 403 with the response body {"detail":"WAF Blocked: Malicious payload detected"}.

Important:The WAF is a first line of defense. It catches common attack patterns, but it's not a replacement for secure coding practices. Always validate and sanitize inputs at your application layer.

Try It Yourself

Sign up, enable WAF, and test against your own payloads. Free plan includes full WAF protection.

Start Free