api-firewall
API Firewall is an open-source, high-performance reverse proxy that validates REST and GraphQL API traffic against OpenAPI and GraphQL schemas. It operates in blocking or monitoring modes to prevent malicious requests, data breaches via malformed responses, and discover undocumented shadow APIs.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | wallarm/api-firewall |
| Owner | wallarm |
| Primary language | Go |
| License | MPL-2.0 — OSI-approved |
| Stars | 652 |
| Forks | 61 |
| Open issues | 3 |
| Latest release | v0.9.6 (2026-04-03) |
| Last updated | 2026-04-03 |
| Source | https://github.com/wallarm/api-firewall |
What api-firewall is
Written in Go using fasthttp, API Firewall validates requests/responses against OpenAPI 3.0 or GraphQL schemas with a positive security model, supporting multiple content types (JSON, XML, YAML, form data, etc.), JWT validation, token denylist, ModSecurity rules, and offering PROXY, API, and GraphQL operating modes with reported 66% lower latency than NGINX.
Get the api-firewall source
Clone the repository and explore it locally.
git clone https://github.com/wallarm/api-firewall.gitcd api-firewall# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Maintain OpenAPI/GraphQL schema synchronization with actual API; schema drift will cause legitimate traffic to be blocked or shadow endpoints to be undetected.
- Choose operating mode carefully: PROXY mode adds latency (though claimed minimal), API mode is lighter but requires client-side integration, GraphQL mode is separate.
- Plan for monitoring/logging infrastructure; firewall generates logs for blocked requests and shadow APIs that require analysis and incident response.
- Test extensively in monitoring mode before switching to blocking mode to avoid production outages from overly strict validation rules.
- Consider token management: denylist management for compromised keys and JWT validation require operational processes to stay current.
When to avoid it — and what to weigh
- No API Specification Available — The tool requires a well-maintained OpenAPI 3.0 or GraphQL schema to function; if your API lacks formal documentation or specs are outdated, effectiveness diminishes significantly.
- Non-HTTP or Proprietary Protocols — API Firewall is designed for REST/GraphQL; it does not handle gRPC, AMQP, or other non-HTTP protocols out of the box.
- Complex, Undocumented Legacy APIs — If your API has highly irregular patterns, frequent schema violations by design, or lacks formal specification, maintaining validation rules becomes operationally burdensome.
- Strict Backward Compatibility Requirements — Running in blocking mode can break older clients that send requests slightly outside the schema; migration and testing overhead may be substantial.
License & commercial use
Released under Mozilla Public License 2.0 (MPL-2.0), a copyleft license requiring derivative works and modifications to be distributed under the same license.
MPL-2.0 permits commercial use of unmodified binaries without restriction. However, if you modify the source code and distribute it, you must release modifications under MPL-2.0. Consult legal counsel before embedding in proprietary products; the copyleft obligation may require source disclosure for internal deployments depending on your distribution model.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
API Firewall operates as a positive security enforcement layer, validating schema compliance to block malicious or malformed payloads. Effectiveness depends entirely on schema correctness and comprehensiveness; incomplete or inaccurate specs bypass protection. JWT validation, token denylist, and IP allowlisting reduce attack surface, but the tool does not replace layer-7 WAF capabilities (ModSecurity rules help offset this). TLS termination, token revocation processes, and logging retention policies must be configured separately. No security audit or CVE history visible in provided data.
Alternatives to consider
Kong / Kong Enterprise
Mature API Gateway with plugin ecosystem, request/response transformation, and rate-limiting; offers free and commercial tiers. More feature-rich but heavier weight than API Firewall; targets broader use cases beyond validation.
Tyk
Open-source and commercial API Gateway with schema validation, OAuth/JWT support, and rate-limiting. Similar deployment model (Docker/Kubernetes) but includes additional analytics and developer portal features.
AWS API Gateway + WAF / Azure API Management
Cloud-native alternatives with built-in WAF, schema validation (AWS), request throttling, and managed scaling. Avoid if you need vendor independence or on-premise deployment; higher operational abstraction but vendor lock-in.
Build on api-firewall with DEV.co software developers
Our engineers can help you integrate schema validation, set up monitoring-to-blocking transitions, and design token management workflows. Let's discuss your API security posture.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
api-firewall FAQ
Does API Firewall replace a traditional WAF?
What happens to requests that don't match the schema?
How often must the API specification be updated?
Can I use API Firewall with GraphQL and REST simultaneously?
Custom software development services
Adopting api-firewall is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Ready to Deploy API Firewall?
Our engineers can help you integrate schema validation, set up monitoring-to-blocking transitions, and design token management workflows. Let's discuss your API security posture.