DEV.co
Open-Source Security · wallarm

api-firewall

API Firewall is an open-source, high-performance reverse proxy that validates REST and GraphQL API traffic against OpenAPI and GraphQL schemas. It operates in blocking or monitoring modes to prevent malicious requests, data breaches via malformed responses, and discover undocumented shadow APIs.

Source: GitHub — github.com/wallarm/api-firewall
652
GitHub stars
61
Forks
Go
Primary language
MPL-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorywallarm/api-firewall
Ownerwallarm
Primary languageGo
LicenseMPL-2.0 — OSI-approved
Stars652
Forks61
Open issues3
Latest releasev0.9.6 (2026-04-03)
Last updated2026-04-03
Sourcehttps://github.com/wallarm/api-firewall

What api-firewall is

Written in Go using fasthttp, API Firewall validates requests/responses against OpenAPI 3.0 or GraphQL schemas with a positive security model, supporting multiple content types (JSON, XML, YAML, form data, etc.), JWT validation, token denylist, ModSecurity rules, and offering PROXY, API, and GraphQL operating modes with reported 66% lower latency than NGINX.

Quickstart

Get the api-firewall source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/wallarm/api-firewall.gitcd api-firewall# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

API Security Hardening in Cloud-Native Environments

Protect REST and GraphQL endpoints by enforcing strict request/response validation against defined API specifications, blocking malformed or unexpected traffic in containerized and Kubernetes deployments.

Shadow API and Endpoint Discovery

Run in monitoring mode to log undocumented API endpoints not covered in the specification, enabling teams to identify and remediate rogue or legacy endpoints.

Data Breach Prevention via Response Validation

Intercept and block malformed API responses before they reach clients, preventing sensitive data leakage and enforcing compliance with API contracts.

Implementation considerations

  • Maintain OpenAPI/GraphQL schema synchronization with actual API; schema drift will cause legitimate traffic to be blocked or shadow endpoints to be undetected.
  • Choose operating mode carefully: PROXY mode adds latency (though claimed minimal), API mode is lighter but requires client-side integration, GraphQL mode is separate.
  • Plan for monitoring/logging infrastructure; firewall generates logs for blocked requests and shadow APIs that require analysis and incident response.
  • Test extensively in monitoring mode before switching to blocking mode to avoid production outages from overly strict validation rules.
  • Consider token management: denylist management for compromised keys and JWT validation require operational processes to stay current.

When to avoid it — and what to weigh

  • No API Specification Available — The tool requires a well-maintained OpenAPI 3.0 or GraphQL schema to function; if your API lacks formal documentation or specs are outdated, effectiveness diminishes significantly.
  • Non-HTTP or Proprietary Protocols — API Firewall is designed for REST/GraphQL; it does not handle gRPC, AMQP, or other non-HTTP protocols out of the box.
  • Complex, Undocumented Legacy APIs — If your API has highly irregular patterns, frequent schema violations by design, or lacks formal specification, maintaining validation rules becomes operationally burdensome.
  • Strict Backward Compatibility Requirements — Running in blocking mode can break older clients that send requests slightly outside the schema; migration and testing overhead may be substantial.

License & commercial use

Released under Mozilla Public License 2.0 (MPL-2.0), a copyleft license requiring derivative works and modifications to be distributed under the same license.

MPL-2.0 permits commercial use of unmodified binaries without restriction. However, if you modify the source code and distribute it, you must release modifications under MPL-2.0. Consult legal counsel before embedding in proprietary products; the copyleft obligation may require source disclosure for internal deployments depending on your distribution model.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

API Firewall operates as a positive security enforcement layer, validating schema compliance to block malicious or malformed payloads. Effectiveness depends entirely on schema correctness and comprehensiveness; incomplete or inaccurate specs bypass protection. JWT validation, token denylist, and IP allowlisting reduce attack surface, but the tool does not replace layer-7 WAF capabilities (ModSecurity rules help offset this). TLS termination, token revocation processes, and logging retention policies must be configured separately. No security audit or CVE history visible in provided data.

Alternatives to consider

Kong / Kong Enterprise

Mature API Gateway with plugin ecosystem, request/response transformation, and rate-limiting; offers free and commercial tiers. More feature-rich but heavier weight than API Firewall; targets broader use cases beyond validation.

Tyk

Open-source and commercial API Gateway with schema validation, OAuth/JWT support, and rate-limiting. Similar deployment model (Docker/Kubernetes) but includes additional analytics and developer portal features.

AWS API Gateway + WAF / Azure API Management

Cloud-native alternatives with built-in WAF, schema validation (AWS), request throttling, and managed scaling. Avoid if you need vendor independence or on-premise deployment; higher operational abstraction but vendor lock-in.

Software development agency

Build on api-firewall with DEV.co software developers

Our engineers can help you integrate schema validation, set up monitoring-to-blocking transitions, and design token management workflows. Let's discuss your API security posture.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

api-firewall FAQ

Does API Firewall replace a traditional WAF?
Partially. It provides positive security through schema validation (blocking non-conforming requests) and response validation, but lacks pattern-matching and anomaly detection typical of layer-7 WAFs. It does support ModSecurity rules for broader attack detection; consider layering with a WAF for maximum defense.
What happens to requests that don't match the schema?
In PROXY mode (monitoring): requests are logged and proxied; in blocking mode: requests are rejected. In API mode, validation results are returned to the caller. Shadow API endpoints (undocumented but responding) are logged in monitoring mode.
How often must the API specification be updated?
Every time the actual API contract changes. Schema drift (spec vs. reality) causes legitimate traffic to be blocked or protections to be ineffective. Integrate schema validation into your API CI/CD pipeline and update the firewall specification alongside API deployments.
Can I use API Firewall with GraphQL and REST simultaneously?
Not in a single instance. API Firewall offers separate modes for REST (PROXY/API) and GraphQL. You will need separate deployments or a routing layer to handle both protocol types.

Custom software development services

Adopting api-firewall is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Ready to Deploy API Firewall?

Our engineers can help you integrate schema validation, set up monitoring-to-blocking transitions, and design token management workflows. Let's discuss your API security posture.