-
Notifications
You must be signed in to change notification settings - Fork 0
Security
Servet Arslan edited this page Jun 5, 2026
·
1 revision
HookSniff implements 11 security layers that run on every request:
- Adaptive EWMA baseline (learns normal traffic patterns)
- IP rate limit: 500-5000 req/min (scales with traffic)
- Global rate limit: 10x IP limit
- Redis-backed with in-memory fallback
- 33+ scanner path patterns
- 25+ known bot UA patterns
- Path normalization (trailing slash, double encoding)
- Behavioral analysis (timing, volume, pattern)
- Exact IP + CIDR range support (e.g., 192.168.1.0/24)
- Auto-refresh every 60 seconds
- Admin users exempt
- SQL Injection: 25+ patterns with recursive URL/HTML/Unicode decode
- XSS: 25+ patterns including event handlers, DOM manipulation
- SSRF: Cloud metadata, internal IPs, dangerous protocols
- Command Injection: Shell commands, pipes, backticks
- Path Traversal: Unix/Windows system files, encoded variants
- Every request verified: account active, IP reputation, risk score
- Admin users bypass (verified by auth)
- DELETE/PUT operations require lower risk threshold
- 5+ failed logins (same email, 15 min) → High alert
- 10+ failed logins (same IP) → Auto-block
- 5+ different emails (same IP) → Credential stuffing detection
- Security events auto-resolved by type and severity
- Scanner events: 6 hours
- Low severity: 24 hours
- Critical: 30 days
- Duplicate grouping (same IP + type → keep newest)
- Blocked IP events auto-resolved
- JWT token holders bypass rate limiting
- Admin users never blocked by threat detection
- Zero Trust returns risk_score=0 for admins
-
unsafe-evalremoved -
unsafe-inlineremoved for scripts - Frame-ancestors: none
- Strict transport security: max-age=31536000
- All inputs sanitized before processing
- SSRF protection on webhook URLs
- Payload size limit: 1MB