The integrated security engine “
Generic Hardening” dynamically generates hardened rules that transform your reverse proxy into a high-performance application firewall ( before the real Web Application Firewall engine)This engine enforces strict protocol control and blocks malicious traffic instantly — returning HTTP 444 (connection closed without response) to eliminate attacker feedback.
This feature is available on Artica v4.50 Service Pack 7 or Artica v4.50 Service Pack 6 Hotfix 20260213-01
¶ Protocol Enforcement & Surface Reduction
The system first enforces a strict HTTP method policy.
Only explicitly allowed methods (GET, POST, HEAD, OPTIONS, PUT — or custom-defined) are accepted.
Any unexpected or abusive method is immediately terminated.
This reduces the exposed attack surface before deeper inspection even begins.
¶ Deep Attack Detection (Multi-Layer Protection)
The engine proactively blocks a wide spectrum of modern web attacks, including:
- SQL Injection (union-based, blind, time-based, hex payloads)
- NoSQL Injection operators
- Command injection patterns
- Local & Remote File Inclusion (LFI/RFI)
- Server-Side Request Forgery (SSRF)
- Cross-Site Scripting (XSS)
- XML External Entity (XXE)
- SSTI (Server-Side Template Injection)
- LDAP injection
- Log4Shell / JNDI exploitation
- CRLF injection
- HTTP request smuggling
- Path traversal (including double-encoded variants)
- Sensitive file exposure (.git, .env, id_rsa, wp-config, etc.)
- Common webshell and CMS exploit probes
Each detection layer is evaluated independently and optimized for performance.
¶ Silent Blocking with 444 Return Code
Instead of returning traditional 403/404 responses, malicious requests are terminated with HTTP 444, meaning:
- No response body
- No headers
- Immediate TCP close
- No behavioral feedback to attackers
- Reduced resource consumption
This strategy limits reconnaissance and automated exploitation.
¶ Hardened by Design
- Generic Harden mode can be enabled by opening the reverse-proxy website rule
- Find the “Generic Hardening” option
- Trun to green the Built-in Web Application Firewall option
- The system automatically deploys:
- Regex-based malicious URI filters
- Query string anomaly detection
- Suspicious header inspection (User-Agent, Referer, Transfer-Encoding)
- Internal IP and metadata endpoint protection
- Encoded payload normalization detection
All rules are compiled statically into main service configuration, avoiding runtime overhead typical of external WAF engines.
After enabled, go to https://waf-checker.com/ and scan your website with all options.
You will see a high proxy rate.
