Self-build WAF

If you are interested in building your own Web Application Firewall (WAF) by leveraging the public APIs of the Shieldon library, you can create a system similar to Shieldon Firewall.

Here's an example demonstrating how Shieldon operates, providing guidance for manual Shieldon implementation on your web application.

Lifecycle Diagram

Below is a diagram illustrating the Shieldon instance lifecycle. You don’t need to comprehend everything right now, but as you aim to customize your own components, CAPTCHA modules, and more, it will serve as a useful reference.

Lifecycle Diagram


1. Initialize Shieldon instance.

$kernel = new \Shieldon\Firewall\Kernel();

2. Set up a data driver.

In this example, SQLite is used as the data driver.

$dbLocation = APPPATH . 'cache/shieldon.sqlite3';
$pdoInstance = new \PDO('sqlite:' . $dbLocation);

    new \Shieldon\Firewall\Driver\SqliteDriver($pdoInstance)

3. Set up the components.

Shieldon components are rule sets for permanently allowing or denying sessions.

In this example, the TrustedBot component is loaded to allow popular search engines, thereby preventing their bots from entering the checking process - subsequent components and filters.

    new \Shieldon\Firewall\Component\TrustedBot()

4. Set up a channel. (optional)

If you are only using one Shieldon kernel instance on your web application, you can ignore this setting. The channel simply acts as the prefix for the names of the data tables.


5. Limit the online session number. (optional)

This setting allows only 10 sessions to view the current page. The default expiration time is 300 seconds.

$kernel->limitSession(10, 300);

6. Load the Captcha modules.

You can set a Captcha service, for example, Google reCAPTCHA.

    new \Shieldon\Firewall\Captcha\Recaptcha([
        'key' => '6LfkOaUUAAAAAH-AlTz3hRQ25SK8kZKb2hDRSwz9',
        'secret' => '6LfkOaUUAAAAAJddZ6k-1j4hZC1rOqYZ9gLm0WQh',

7. Begin protecting your website

$result = $kernel->run();

if ($result !== $kernel::RESPONSE_ALLOW) {
    if ($kernel->captchaResponse()) {
        // Unban current session.

    $response = $kernel->respond();

    if ($response->getStatusCode() !== 200) {
        $httpResolver = new \Shieldon\Firewall\HttpResolver();

And that's all.