Protecting web applications from malicious bots is one thing; proving it works in production is another. In this case study, we demonstrate how SafeLine WAF defended a real application from bot attacks, showing before-and-after traffic patterns and highlighting actionable insights for developers.
Why Bot Defense Matters
Bots today can:
- Scrape sensitive data
- Perform credential stuffing
- Spam APIs and forms
- Overload servers, causing downtime
Simple rate limiting or IP blocks are often insufficient, as modern bots rotate IPs, mimic human behavior, and bypass naive filters.
Test Environment
- Server: 4-core / 8GB RAM VPS
- Web app: Single-page app + API endpoints
- WAF: SafeLine Pro, self-hosted
- Traffic: Internal bot simulation + real attack traffic
SafeLine WAF allows configuration of Bot Protect, custom rules, and challenge pages (JS/CAPTCHA).
# Enable Bot Protect
docker exec -it safeline-cli set-feature bot-protect true
# Check blocked requests
tail -f /data/safeline/logs/nginx/safeline/access.log | grep "bot"
Attack Scenario: Credential Stuffing
Before SafeLine:
- ~1,200 login requests/min from suspicious IPs
- Server CPU spiked
- Legitimate users experienced slow responses
Access log snippet:
POST /api/login HTTP/1.1 200 512 "Dart/3.7"
POST /api/login HTTP/1.1 401 48 "Mozilla/5.0"
POST /api/login HTTP/1.1 401 52 "Dart/3.7"
Pattern: repeated login attempts from the same IPs.
Implementing Bot Defense
- Enable Bot Protect and anti-bot challenge (JS/CAPTCHA)
- Whitelist legitimate domains
- Apply custom rate-limits on sensitive endpoints (/api/login)
# Rate-limit example: 5 reqs/sec for /api/login
docker exec -it safeline-cli set-rule /api/login rate-limit 5
After SafeLine Deployment
Blocked bot requests:
POST /api/login HTTP/1.1 403 64 "Dart/3.7"
POST /api/login HTTP/1.1 403 64 "Dart/3.7"
Improvements:
- Legitimate users unaffected
- CPU usage normalized
- Logs provide visibility into attack sources
Traffic comparison:
- Before WAF: 80% bot traffic during peak attack
- After WAF: 3% bot traffic
Lessons Learned
- Bot patterns are predictable with proper log monitoring
- Self-hosted WAF allows granular control per endpoint
- JS/CAPTCHA challenges outperform simple IP blocks
- Regular log review is crucial for tuning rules
Developer Takeaways
- SafeLine WAF is effective for bot-heavy apps
- Real traffic comparison shows measurable impact
- Easy integration with CI/CD pipelines
- Logs and dashboards make anomaly detection straightforward
Conclusion
Bot attacks are inevitable, but you can stop them in real-time without affecting legitimate users. SafeLine WAF provides visibility, control, and protection against modern threats.
Consider self-hosted WAF deployment for critical endpoints of your web apps.
SafeLine Resources:
- Website: https://ly.safepoint.cloud/ShZAy9x
- Live Demo: https://demo.waf.chaitin.com:9443/statistics
- Discord: https://discord.gg/dy3JT7dkmY
- Documentation: https://docs.waf.chaitin.com/en/home
- GitHub: https://github.com/chaitin/SafeLine
Top comments (0)