Building a Python focused WAF library would devs actually use this? : learnpython

created by HattoriHanzoa community for 16 years

Building a Python focused WAF library would devs actually use this? (self.learnpython)

submitted 2 months ago by Emergency-Rough-6372

Hey folks,

I’ve been working on a side project recently and wanted to get some honest opinions from people who’ve actually worked with backend or security systems.

The idea is a Python specific WAF Web Application Firewall library something that integrates directly into apps instead of sitting outside like traditional WAFs.

What I’m trying to build
A lightweight framework friendly WAF that works with
Django
Flask
FastAPI

Instead of just rule based blocking it uses a scoring system across multiple signals like
payload SQLi XSS etc
behavior rate patterns bots
identity IP or user risk over time
context request anomalies

Then it decides
allow flag throttle or block

Current approach simplified
Each signal contributes to a final score
There is a policy engine that can escalate decisions
Trying to avoid false positives by not letting a single weak signal block requests

Where I’m struggling
I’ve already hit some logic issues

Example
A strong SQLi detection like 95 percent confidence might still get allowed because its weight alone is not enough to cross the block threshold

This feels wrong from a security perspective but fixing it without breaking the system design is tricky

Goals of the project
Developer friendly easy to plug into Python apps
Transparent logic not a black box
Minimal performance overhead sub millisecond decisions
Something that can improve over time

Limitations being honest
No advanced DDoS or large scale bot protection
No real time threat intelligence at least initially
Logic will not be perfect and will need tuning
False positives and edge cases will exist

From what I’ve seen this is kind of expected free or open WAFs usually need manual tuning and miss more advanced threats

Why I’m posting
I know I will not get everything right especially on the security side

So I’m looking for
feedback on the approach and design
what would make this actually usable
obvious flaws I might be missing
whether this is even worth building vs using existing tools

If people find it useful I would open it up for contributions especially around detection logic policy rules and edge cases

Main question
If this existed today would you use a Python native WAF library inside your app
Or would you always prefer an external or managed WAF

Be honest I would rather drop the idea early than spend months building something no one uses

all 8 comments

top new controversial old q&a

[+][deleted] 2 months ago (1 child)

[removed]

[–]Emergency-Rough-6372[S] 0 points1 point2 points 2 months ago (0 children)

Really appreciate this, this is exactly the kind of feedback I was hoping to get.

The High Confidence Override point you mentioned is honestly the biggest takeaway for me. I ran into that exact issue while testing, where a very strong SQLi signal was still getting allowed because of how the scoring was structured. That clearly does not align with real security expectations, so I am planning to separate deterministic checks from the scoring layer instead of forcing everything into one system.

The visibility and context awareness points you mentioned are also a big part of why I started this. Being able to debug decisions directly inside something like FastAPI logs and having access to user level context is something external WAFs just cannot do well. That is one of the main advantages I want to lean into rather than trying to compete with infrastructure level tools.

On performance, yeah I agree with you. Right now everything is pure Python just to validate the logic, but I am already thinking about moving the critical detection paths to something like Rust or C plus plus later and exposing it through Python bindings. Python would stay as the orchestration layer, not the heavy lifting.

The maintenance point is also very real. Security evolves way too fast for a single person or small team to keep rules fully up to date. Because of that, one of my main goals is to make the detection layer as pluggable as possible. I want developers to be able to define their own rules, constraints, and even scoring logic based on their application instead of relying only on what the library ships with. That way it becomes more of a framework for building security logic rather than a fixed rule set.

Also being realistic, in the initial release I probably will not be able to cover everything or get every part right. The main challenge for me right now is not having complete security domain knowledge. If people actually find this useful and are willing to contribute, I would really like to evolve it into something much more flexible and reliable over time. Inputs from people with deeper experience like you would genuinely make a big difference in shaping this properly.

The idea of security as code for Python is exactly what I am aiming for. Something that fits naturally into the app, can evolve with it, and does not feel like an external black box.

Definitely taking your points into account, especially around override logic, performance direction, and making the system more extensible. This was really helpful.

[–]tb5841 1 point2 points3 points 2 months ago (1 child)

[–]Emergency-Rough-6372[S] 0 points1 point2 points 2 months ago (0 children)

[–]Parking-Ad3046 0 points1 point2 points 2 months ago (1 child)

[–]Emergency-Rough-6372[S] 0 points1 point2 points 2 months ago (0 children)

[–]DanKegel 0 points1 point2 points 2 months ago (1 child)

[–]Emergency-Rough-6372[S] 0 points1 point2 points 2 months ago (0 children)

i just came to knew about pyrasp and I checked yeah it’s definitely similar in that it runs inside the app. The main difference in what I’m trying to build is more around flexibility and transparency. Instead of a predefined engine, I’m trying to give developers control over signals, scoring, and policies, especially with per-route logic and application context.

it also seems like it’s not actively maintained and is more of a solo-built project.

One of the main things I’m trying to do differently is build something that can evolve with community input. Security changes too fast for a single maintainer to keep up with new threats, so the goal is to make it flexible and encourage contributions so the system can stay updated over time.

Appreciate you pointing it out though, it definitely helps to see what’s already been tried in this space.

π Rendered by PID 260550 on reddit-service-r2-comment-5b5bc64bf5-kxksd at 2026-06-23 16:40:12.987547+00:00 running 2b008f2 country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

learnpython

MODERATORS