In today’s dynamic threat landscape, web applications require not only real-time protection but also intelligent and automated security workflows.
By integrating SafeLine, a powerful open-source Layer 7 Web Application Firewall (WAF), with n8n, a flexible open-source workflow automation tool, you can achieve an efficient DevSecOps workflow that reacts instantly to threats.
Why Integrate SafeLine with n8n?
While SafeLine already provides strong WAF capabilities like rate limiting, access control, and rule-based blocking, integrating it with n8n unlocks automation benefits such as:
- Automated threat response (e.g., blocking IPs, sending alerts)
- Security notifications to platforms like Slack, Telegram, or email
- Threat intelligence enrichment via external APIs (e.g., AbuseIPDB, VirusTotal)
- Low-code orchestration of your application’s security environment
What You’ll Need
- SafeLine WAF installed and running (self-hosted):https://ly.safepoint.cloud/ShZAy9x
- n8n instance (cloud or self-hosted)
- SafeLine’s Webhook or API access enabled
- Basic knowledge of REST APIs and JSON formatting
Integration Overview
+-------------------+ Webhook +---------------------+
| | ─────────────────▶ | |
| SafeLine WAF | | n8n |
| (with Webhooks) | ◀── API calls ──── | (Workflow Engine) |
+-------------------+ +---------------------+
│ │
▼ ▼
Auto-block IPs Send alerts, log, enrich
with VirusTotal, etc.
Use Case Example: Auto-Blocking Suspicious IPs
1. Enable Webhook Notifications in SafeLine
Configure SafeLine to send alert payloads like:
{
"event": "SQL_INJECTION",
"ip": "45.67.89.123",
"path": "/login",
"rule": "SQL Injection Pattern Detected",
"timestamp": "2025-06-20T10:33:00Z"
}
2. Create an n8n Workflow
Basic logic:
- Webhook Trigger (POST method)
- If Node: Check if event == SQL_INJECTION
- HTTP Request Node: Call SafeLine block API
Sample request:
POST http://your-safeline/api/blacklist/add
Authorization: Bearer <token>
Content-Type: application/json
{
"ip": "45.67.89.123",
"duration": 1800,
"reason": "Auto-blocked via n8n (SQLi)"
}
3. Notify Your Team
Add a Telegram, Slack, or Email node.
SQL Injection Blocked
IP: 45.67.89.123
Path: /login
Blocked for: 30 min
4. Enrich with AbuseIPDB or VirusTotal
Add an HTTP request to AbuseIPDB with the IP address to check reputation before action.
Benefits
- Fully automated WAF response
- Better visibility and reduced false positives
- Seamless integration with other tools
- Time-saving automation for DevSecOps teams
⸻
Other Use Cases
- Auto whitelist internal IPs
- Notify when rate-limiting is triggered
- Update SafeLine WAF rules via GitHub webhook
- Combine WAF logs with server logs
⸻
Conclusion
SafeLine WAF combined with n8n gives your security team a powerful automation layer on top of robust application-layer protection. Whether you’re dealing with targeted attacks or managing large-scale infrastructure, this integration brings clarity, speed, and consistency to your response.
Appendix 1: n8n Workflow Template (Auto Block IP)
Here is a minimal JSON template for n8n:
{
"nodes": [
{
"parameters": {
"path": "safeline-alert",
"method": "POST"
},
"name": "Webhook",
"type": "n8n-nodes-base.webhook",
"typeVersion": 1,
"position": [250, 300]
},
{
"parameters": {
"conditions": {
"string": [
{
"value1": "{{ $json[\"event\"] }}",
"operation": "equals",
"value2": "SQL_INJECTION"
}
]
}
},
"name": "Check Event Type",
"type": "n8n-nodes-base.if",
"typeVersion": 1,
"position": [450, 300]
},
{
"parameters": {
"url": "http://your-safeline/api/blacklist/add",
"method": "POST",
"authentication": "predefinedCredentialType",
"jsonParameters": true,
"options": {},
"bodyParametersJson": "{\"ip\":\"{{ $json[\"ip\"] }}\",\"duration\":1800,\"reason\":\"Auto-blocked via n8n (SQLi)\"}"
},
"name": "Block IP",
"type": "n8n-nodes-base.httpRequest",
"typeVersion": 1,
"position": [650, 300]
}
],
"connections": {
"Webhook": {
"main": [
[
{
"node": "Check Event Type",
"type": "main",
"index": 0
}
]
]
},
"Check Event Type": {
"main": [
[
{
"node": "Block IP",
"type": "main",
"index": 0
}
]
]
}
}
}
Appendix 2: AbuseIPDB + Telegram + GitHub Rule Sync
AbuseIPDB Reputation Check
Add an HTTP node:
GET https://api.abuseipdb.com/api/v2/check?ip={{ $json["ip"] }}&maxAgeInDays=90
Headers:
Key: Key
Value: Bearer YOUR_API_KEY
Then add a condition: if abuse score > 50 → block.
Telegram Notification Node
Use Telegram Bot token and chat ID:
{
"text": " IP {{ $json[\"ip\"] }} blocked due to high threat score.",
"chat_id": "12345678"
}
GitHub Sync for Rules
Use a GitHub Webhook trigger in n8n:
- Watch for changes in a waf-rules.json file
- Auto-call SafeLine’s ruleset/update API when GitHub file is modified
Top comments (0)