Home / Kong Gateway
Edit
Report

Kong Gateway WAF capabilities

Request filtering, validation, and abuse controls delivered through Kong Gateway
Gateway Documentation

WAF plugins

Kong Gateway can act as a front door for your applications by enforcing authentication and authorization, applying rate limits, restricting abusive sources, and validating requests before they reach upstream services.

SQL injection protection

Detect and block SQL injection and other code injection patterns before they reach your upstream services.

Configure SQL injection protection

Brute force protection

Protect against credential stuffing, password spraying, and brute force attacks targeting Basic Authentication endpoints.

Configure Basic Auth brute force protection

XSS and JavaScript injection protection

Detect and block cross-site scripting (XSS) and JavaScript injection patterns in incoming requests.

Configure Javascript injection protection

Form field manipulation protection

Validate body schemas for application/json using Kong Gateway schema or JSON Schema Draft validators.

Configure Bot Detection

IP allow and deny lists

Control access with allow and deny lists of IPs and CIDR blocks, configurable at multiple scopes.

Configure IP Restriction

XML and JSON threat protection

Configure an XML or JSON threat protection policy to catch requests that exceed configured limits.

Configure XML Threat Protection Configure JSON Threat Protection

Rate limiting traffic

Apply rate limiting rules on incoming traffic.

Configure request throttling

Request size limits

Block incoming requests where the body is greater than a specific size.

Configure Request Size Limiting

Response Transformer

Transform the response sent by the upstream server on the fly before returning it to the client.

Configure Response Transformer

WAF for Dedicated Cloud Gateways

You can use a Web Application Firewall (WAF) in front of your Dedicated Cloud Gateway as a first-line defense that filters and blocks malicious traffic before it reaches Kong Gateway. A WAF provides Layer 7 protection for HTTP(S) traffic and helps protect APIs against:

  • OWASP Top 10 vulnerabilities
  • Malicious bot traffic
  • IP reputation threats
  • Rate-based abuse
  • Geo-based access restrictions

Public network WAF

Learn how to secure your public Dedicated Cloud Gateway with WAF.

Configure public network WAF

Private network WAF

Learn how to secure your private Dedicated Cloud Gateway with WAF.

Configure private network WAF
Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Slack Community
Contact Support