Security
Multi-layer security
architecture.
CloShield combines Cloudflare's global network with intelligent L7 protection to create a defense-in-depth model that covers every layer of the stack.
Defense in depth
Two layers working together
Every domain is protected by both Cloudflare and CloShield, each handling what it does best.
Layer 1: Cloudflare (Network Edge)
Cloudflare's free tier provides the first line of defense at the network level.
- L3/L4 DDoS absorption (SYN floods, UDP amplification)
- Global anycast network (300+ PoPs worldwide)
- Free SSL/TLS termination
- Static asset CDN and caching
- Basic managed WAF rules
Layer 2: CloShield (Application Edge)
CloShield adds the intelligent L7 layer that Cloudflare free does not provide.
- Adaptive challenge system (Cookie → JS → CAPTCHA → Block)
- Three-tier rate limiting (per-IP, per-challenge-failure, per-fingerprint)
- Expression-based custom firewall rules (gofilter)
- TLS fingerprinting with known/bot/forbidden databases
- Real-time traffic analytics and email attack alerts
Architecture
How traffic flows through the protection stack
Every request passes through multiple security checkpoints before reaching your origin server.
Edge security
Built with security at every layer
From edge protection to platform security, every component is designed with defense in mind.
Adaptive Challenge System
Four-stage challenge escalation that adapts in real-time to traffic conditions. Transparent to legitimate users, effective against bots and attack traffic.
Multi-Layer Rate Limiting
Three sliding-window rate limiters: per-IP request count, per-IP challenge failures, and per-unknown-fingerprint throttling. Configurable thresholds and 10-second bucket aggregation.
Custom Firewall Rules
Expression-based rules engine that matches on IP, country, ASN, path, headers, and more. Build exact security logic for your application.
TLS & Browser Fingerprinting
TLS cipher suite analysis (JA3-style) with known, bot, and forbidden fingerprint databases. JavaScript environment probing via performance.memory and navigator.plugins checks.
Account Security
Two-factor authentication (TOTP), bcrypt password hashing, session management with auto-expiry, and account lockout after failed attempts.
Encryption at Rest
All sensitive data (API tokens, 2FA secrets, SMTP credentials) encrypted with AES-256-GCM. Session tokens stored as SHA-256 hashes.
Compliance
Security controls that satisfy auditors
CloShield is built with enterprise security standards in mind from the ground up.
Data Encryption
AES-256-GCM for all sensitive fields. TLS 1.2+ for all connections in transit.
Access Control
Role-based access: admin vs user. Session tokens with configurable expiry. TOTP-based 2FA.
Audit Logging
Every action logged with actor, timestamp, IP, and metadata. Immutable audit trail for compliance.
Data Minimization
Only essential data stored. Traffic logs with configurable retention periods. Soft-delete for domains.
Infrastructure
Self-hosted, containerized, and transparent
CloShield runs on your own infrastructure. No data leaves your servers — you control where it runs, how it scales, and who has access.
Operational security
Full audit trail and operational transparency
Every action — from configuration changes to admin operations — is recorded with timestamps, actor details, and metadata. Your security team can trace exactly what changed and when.
Ready to secure your infrastructure?
Start your free trial and have enterprise-grade protection on your first domain in under 5 minutes.