First Impressions of SafeLine: The Most Starred Open-Source WAF on GitHub

Recently, I decided to set up a blog for my team to store and share our learning notes. Since the server will be publicly accessible, it’s crucial to implement some security measures to prevent the site from being compromised and turned into a botnet node.

Here’s what I needed:
Zero cost, Effective protection, Ease of use

Given these criteria, an open-source WAF seemed like the perfect fit. After researching various options, I settled on SafeLine Community Edition.

Why SafeLine?

SafeLine is a rising star in the open-source WAF space. In just a year since its release, it has surpassed the long-standing leader ModSecurity, boasting over 11.7k stars on GitHub, making it the most popular WAF on the platform.

So, what makes SafeLine so popular? The consensus from users and official documentation can be summed up in five words: “Simple and easy to use.”

What Makes It So Good?

SafeLine Community Edition is a streamlined version of the enterprise-grade SafeLine Web Application Firewall developed by Chaitin Tech. Its core detection capabilities are powered by Chaitin’s pioneering intelligent semantic analysis algorithm. Compared to traditional regex-based methods, this algorithm offers better detection rates, fewer false positives, and higher accuracy, all while consuming significantly less processing time.

Installation and Usage

1. Installation

SafeLine makes it incredibly easy to get started with a one-click installation feature. As long as Docker is installed on your system, deploying SafeLine is a breeze.

bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"

For detailed installation instructions, you can refer to the official documentation: Install SafeLine.

2. Usage

• Login: The login process is straightforward, so I won’t go into details here.

• Feature Overview:

  • Data Statistics: The dashboard is clean and intuitive, offering a clear overview of your traffic and security status.

• Attack Events: When your server receives potentially harmful requests, SafeLine evaluates them based on the configured protection level to decide whether to block them.

• Protected Sites: SafeLine operates as a reverse proxy, filtering and forwarding every packet of data sent to your server.

Feature Testing (Website Protection)

I conducted some basic tests to evaluate SafeLine’s website protection capabilities:

• Directory Scanning Test: When a client requests sensitive files from the server, SafeLine intercepts the request. Even if the request doesn’t reach the blocking threshold, it’s logged as an attack event for future warnings.

• SQL Injection Test: I used sqlmap to test SQL injection at different protection levels:
  • Observation Mode: SQL injection was easily executed, and SafeLine provided warnings but allowed the requests to pass.

• Balanced Protection: SQL injection was partially blocked. The requests were intercepted based on the User-Agent header triggering keywords, but bypassing this was possible with header spoofing.

• High-Intensity Protection: Most SQL injection attempts were blocked, though some still succeeded. Manual injections weren’t blocked but were logged as warnings. This is more an issue with the test environment—a low-security CTF setup—than with SafeLine itself. In a real-world scenario, SafeLine combined with proper front-end and back-end validation should provide solid protection.

• File Upload Test: I tested file upload detection at both balanced and high-intensity protection levels. SafeLine detected PHP backdoor files but didn’t block them (perhaps because they were too basic?).

• RCE Test: Remote Code Execution (RCE) attempts were detected but not blocked, similar to the file upload test.

Conclusion

While a WAF like SafeLine is a crucial layer of defense for website security, it shouldn’t be the only measure. Personal security awareness is also essential. During development, you should pay special attention to securing critical endpoints like SQL queries, file uploads, and remote command execution to minimize the risk of exploitation.

In conclusion, though this review was a bit rushed, it’s clear that SafeLine Community Edition is a powerful and user-friendly WAF.