DEV Community: Bhavy Yadav The latest articles on DEV Community by Bhavy Yadav (@bhavyyadav25). https://dev.to/bhavyyadav25 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F389390%2F58059b99-78fd-4725-ba2d-009a25dbeb22.jpeg DEV Community: Bhavy Yadav https://dev.to/bhavyyadav25 en What Happens in 2 Milliseconds: Anatomy of a Single HTTP Request Through a Production WAF Bhavy Yadav Sun, 31 May 2026 00:14:29 +0000 https://dev.to/bhavyyadav25/what-happens-in-2-milliseconds-anatomy-of-a-single-http-request-through-a-production-waf-4bcm https://dev.to/bhavyyadav25/what-happens-in-2-milliseconds-anatomy-of-a-single-http-request-through-a-production-waf-4bcm <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fapepmafhlgn7k4ajipuk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fapepmafhlgn7k4ajipuk.png" alt=" " width="800" height="450"></a></p> <p>The rule engine is not the hard part. Everyone builds a rule engine. The hard part is deciding what order the checks run in — because the difference between a hash map lookup and a regex match is two orders of magnitude, and you're doing this on every single request.</p> <p>Six-stage pipeline. Production. 50+ client websites, 100K+ daily requests. I'll trace one request through all of it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">http </span><span class="nf">POST</span> <span class="nn">/api/login</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">client-website.com</span> <span class="na">User-Agent</span><span class="p">:</span> <span class="s">python-requests/2.28.0</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="na">X-Forwarded-For</span><span class="p">:</span> <span class="s">185.220.101.45</span> <span class="na">{"username"</span><span class="p">:</span><span class="s">"admin' OR '1'='1' --","password":"anything"}</span> </code></pre> </div> <p>Four problems: Tor exit node IP, automation library User-Agent, no Accept header, SQL injection payload. It gets blocked at stage 4. But all six stages matter.</p> <h2> The Pipeline </h2> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">waf</span> <span class="o">*</span><span class="n">WAF</span><span class="p">)</span> <span class="n">Handle</span><span class="p">(</span><span class="n">next</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span> <span class="p">{</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="n">ctx</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">RequestContext</span><span class="p">{</span> <span class="n">IP</span><span class="o">:</span> <span class="n">extractIP</span><span class="p">(</span><span class="n">r</span><span class="p">),</span> <span class="n">Start</span><span class="o">:</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">(),</span> <span class="p">}</span> <span class="c">// Stage 1: IP reputation — cheapest check, runs first</span> <span class="n">ipScore</span> <span class="o">:=</span> <span class="n">waf</span><span class="o">.</span><span class="n">reputation</span><span class="o">.</span><span class="n">Score</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">IP</span><span class="p">)</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Score</span> <span class="o">+=</span> <span class="n">ipScore</span> <span class="k">if</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Score</span> <span class="o">&gt;=</span> <span class="m">100</span> <span class="p">{</span> <span class="n">waf</span><span class="o">.</span><span class="n">block</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="n">ctx</span><span class="p">,</span> <span class="n">Decision</span><span class="p">{</span><span class="n">Code</span><span class="o">:</span> <span class="m">403</span><span class="p">,</span> <span class="n">Reason</span><span class="o">:</span> <span class="s">"blocklist"</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Stage 2: Rate limiting</span> <span class="k">if</span> <span class="n">allowed</span> <span class="o">:=</span> <span class="n">waf</span><span class="o">.</span><span class="n">limiter</span><span class="o">.</span><span class="n">Allow</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">IP</span><span class="p">);</span> <span class="o">!</span><span class="n">allowed</span> <span class="p">{</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Score</span> <span class="o">+=</span> <span class="m">25</span> <span class="n">ctx</span><span class="o">.</span><span class="n">RateLimited</span> <span class="o">=</span> <span class="no">true</span> <span class="p">}</span> <span class="c">// Stage 3: Header inspection</span> <span class="n">headerScore</span><span class="p">,</span> <span class="n">hardBlock</span> <span class="o">:=</span> <span class="n">waf</span><span class="o">.</span><span class="n">inspectHeaders</span><span class="p">(</span><span class="n">r</span><span class="p">)</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Score</span> <span class="o">+=</span> <span class="n">headerScore</span> <span class="k">if</span> <span class="n">hardBlock</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="n">waf</span><span class="o">.</span><span class="n">block</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="n">ctx</span><span class="p">,</span> <span class="n">Decision</span><span class="p">{</span><span class="n">Code</span><span class="o">:</span> <span class="m">400</span><span class="p">,</span> <span class="n">Reason</span><span class="o">:</span> <span class="n">hardBlock</span><span class="p">})</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Stage 4: Rule engine — most expensive, runs last</span> <span class="n">body</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">io</span><span class="o">.</span><span class="n">ReadAll</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Body</span><span class="p">)</span> <span class="n">r</span><span class="o">.</span><span class="n">Body</span> <span class="o">=</span> <span class="n">io</span><span class="o">.</span><span class="n">NopCloser</span><span class="p">(</span><span class="n">bytes</span><span class="o">.</span><span class="n">NewReader</span><span class="p">(</span><span class="n">body</span><span class="p">))</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Matches</span> <span class="o">=</span> <span class="n">waf</span><span class="o">.</span><span class="n">rules</span><span class="o">.</span><span class="n">Evaluate</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="n">body</span><span class="p">)</span> <span class="c">// Stage 5: Decision</span> <span class="k">if</span> <span class="n">d</span> <span class="o">:=</span> <span class="n">waf</span><span class="o">.</span><span class="n">decide</span><span class="p">(</span><span class="n">ctx</span><span class="p">);</span> <span class="n">d</span><span class="o">.</span><span class="n">Block</span> <span class="p">{</span> <span class="n">waf</span><span class="o">.</span><span class="n">block</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">,</span> <span class="n">ctx</span><span class="p">,</span> <span class="n">d</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="n">next</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="p">)</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <p>Cheap checks first, expensive last. If IP reputation kills the request, the rule engine never runs. At 100K req/day that ordering shows up measurably in CPU.</p> <h2> Stage 1: IP Reputation [0ms → 0.2ms] </h2> <p>Three data structures, all in memory, all O(1):</p> <ul> <li> <strong>Hard blocklist</strong> — permanently banned IPs. Hash map, no expiry.</li> <li> <strong>Tor exit nodes</strong> — refreshed every 15 minutes via Onionoo. ~1,500 active exit IPs at any given time.</li> <li> <strong>Threat score map</strong> — IPs we've observed before, with accumulated scores that decay over time. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">IPReputation</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">mu</span> <span class="n">sync</span><span class="o">.</span><span class="n">RWMutex</span> <span class="n">blocklist</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">struct</span><span class="p">{}</span> <span class="n">torExits</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="k">struct</span><span class="p">{}</span> <span class="n">cidrs</span> <span class="p">[]</span><span class="o">*</span><span class="n">net</span><span class="o">.</span><span class="n">IPNet</span> <span class="c">// datacenter/hosting ranges</span> <span class="n">scores</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="n">scoredIP</span> <span class="p">}</span> <span class="k">type</span> <span class="n">scoredIP</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">score</span> <span class="kt">int</span> <span class="n">lastSeen</span> <span class="n">time</span><span class="o">.</span><span class="n">Time</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">ipr</span> <span class="o">*</span><span class="n">IPReputation</span><span class="p">)</span> <span class="n">Score</span><span class="p">(</span><span class="n">ip</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">int</span> <span class="p">{</span> <span class="n">ipr</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">RLock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">ipr</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">RUnlock</span><span class="p">()</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">ipr</span><span class="o">.</span><span class="n">blocklist</span><span class="p">[</span><span class="n">ip</span><span class="p">];</span> <span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="m">100</span> <span class="p">}</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">ipr</span><span class="o">.</span><span class="n">torExits</span><span class="p">[</span><span class="n">ip</span><span class="p">];</span> <span class="n">ok</span> <span class="p">{</span> <span class="k">return</span> <span class="m">70</span> <span class="p">}</span> <span class="n">parsed</span> <span class="o">:=</span> <span class="n">net</span><span class="o">.</span><span class="n">ParseIP</span><span class="p">(</span><span class="n">ip</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">cidr</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">ipr</span><span class="o">.</span><span class="n">cidrs</span> <span class="p">{</span> <span class="k">if</span> <span class="n">cidr</span><span class="o">.</span><span class="n">Contains</span><span class="p">(</span><span class="n">parsed</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="m">55</span> <span class="c">// datacenter origin — not necessarily malicious, but not a browser</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="n">entry</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">ipr</span><span class="o">.</span><span class="n">scores</span><span class="p">[</span><span class="n">ip</span><span class="p">];</span> <span class="n">ok</span> <span class="p">{</span> <span class="n">days</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Since</span><span class="p">(</span><span class="n">entry</span><span class="o">.</span><span class="n">lastSeen</span><span class="p">)</span><span class="o">.</span><span class="n">Hours</span><span class="p">()</span> <span class="o">/</span> <span class="m">24</span> <span class="c">// Score halves every 24h</span> <span class="k">return</span> <span class="kt">int</span><span class="p">(</span><span class="kt">float64</span><span class="p">(</span><span class="n">entry</span><span class="o">.</span><span class="n">score</span><span class="p">)</span> <span class="o">*</span> <span class="n">math</span><span class="o">.</span><span class="n">Pow</span><span class="p">(</span><span class="m">0.5</span><span class="p">,</span> <span class="n">days</span><span class="p">))</span> <span class="p">}</span> <span class="k">return</span> <span class="m">0</span> <span class="p">}</span> </code></pre> </div> <p>Score decays at a 24-hour half-life. IPs rotate. Cloud provider ranges get reassigned. Treating a month-old signal the same as a current one tanks precision — false positives climb until the system is more noise than signal.</p> <p>We should have used MaxMind GeoLite from day one instead of maintaining a CIDR list manually. We added hosting ranges reactively — after seeing attacks rather than before — and missed several in the first few months. Proper ASN lookups would have caught those automatically. That gap cost us a few weeks of noisier detection early on.</p> <p>The scores map has an unbounded growth problem. A background goroutine evicts entries with decayed scores below 5, running every hour. In production the map stabilized around 40-50k entries.</p> <p><strong>185.220.101.45 matches the Tor exit list. Score: 70. Continue.</strong></p> <h2> Stage 2: Rate Limiter [0.2ms → 0.5ms] </h2> <p>Sliding window, not fixed. Fixed windows have a boundary exploit: 59 requests at :59, 59 more at :00 — 118 requests through a 60-request limit. The sliding window always covers the last N seconds. There's no boundary to game.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">SlidingWindow</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">mu</span> <span class="n">sync</span><span class="o">.</span><span class="n">Mutex</span> <span class="n">entries</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="o">*</span><span class="n">ipWindow</span> <span class="n">limit</span> <span class="kt">int</span> <span class="n">window</span> <span class="n">time</span><span class="o">.</span><span class="n">Duration</span> <span class="p">}</span> <span class="k">type</span> <span class="n">ipWindow</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">timestamps</span> <span class="p">[]</span><span class="kt">int64</span> <span class="c">// nanoseconds — 8 bytes vs 24 for time.Time</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">sw</span> <span class="o">*</span><span class="n">SlidingWindow</span><span class="p">)</span> <span class="n">Allow</span><span class="p">(</span><span class="n">ip</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">bool</span> <span class="p">{</span> <span class="n">sw</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="k">defer</span> <span class="n">sw</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="n">now</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">UnixNano</span><span class="p">()</span> <span class="n">cutoff</span> <span class="o">:=</span> <span class="n">now</span> <span class="o">-</span> <span class="n">sw</span><span class="o">.</span><span class="n">window</span><span class="o">.</span><span class="n">Nanoseconds</span><span class="p">()</span> <span class="n">w</span> <span class="o">:=</span> <span class="n">sw</span><span class="o">.</span><span class="n">entries</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="k">if</span> <span class="n">w</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">w</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">ipWindow</span><span class="p">{}</span> <span class="n">sw</span><span class="o">.</span><span class="n">entries</span><span class="p">[</span><span class="n">ip</span><span class="p">]</span> <span class="o">=</span> <span class="n">w</span> <span class="p">}</span> <span class="c">// Prune in-place — avoids allocating a new slice on every call</span> <span class="n">n</span> <span class="o">:=</span> <span class="m">0</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">t</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">w</span><span class="o">.</span><span class="n">timestamps</span> <span class="p">{</span> <span class="k">if</span> <span class="n">t</span> <span class="o">&gt;</span> <span class="n">cutoff</span> <span class="p">{</span> <span class="n">w</span><span class="o">.</span><span class="n">timestamps</span><span class="p">[</span><span class="n">n</span><span class="p">]</span> <span class="o">=</span> <span class="n">t</span> <span class="n">n</span><span class="o">++</span> <span class="p">}</span> <span class="p">}</span> <span class="n">w</span><span class="o">.</span><span class="n">timestamps</span> <span class="o">=</span> <span class="n">w</span><span class="o">.</span><span class="n">timestamps</span><span class="p">[</span><span class="o">:</span><span class="n">n</span><span class="p">]</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">w</span><span class="o">.</span><span class="n">timestamps</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="n">sw</span><span class="o">.</span><span class="n">limit</span> <span class="p">{</span> <span class="k">return</span> <span class="no">false</span> <span class="p">}</span> <span class="n">w</span><span class="o">.</span><span class="n">timestamps</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">w</span><span class="o">.</span><span class="n">timestamps</span><span class="p">,</span> <span class="n">now</span><span class="p">)</span> <span class="k">return</span> <span class="no">true</span> <span class="p">}</span> </code></pre> </div> <p>Threshold: 60 requests per 10-second window. This attacker sent 847.</p> <p>Rate limit alone doesn't block. +25 to score, continue. A misconfigured load balancer looks identical to a rate violation — same IP, high request count. The system needs the full picture before making a hard call. Rate limit plus anything else usually crosses the block threshold.</p> <p><strong>Score: 70 + 25 = 95. Continue.</strong></p> <h2> Stage 3: Header Inspection [0.5ms → 0.8ms] </h2> <p>Real browsers are consistent. They send <code>Accept</code>, <code>Accept-Language</code>, <code>Accept-Encoding</code>. Their User-Agent follows recognizable patterns. Automation libraries don't replicate this — not because attackers are careless, but because <code>python-requests</code>, <code>httpx</code>, <code>go-http-client</code> don't send browser headers by default, and most attackers don't bother faking them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">var</span> <span class="n">automationSignatures</span> <span class="o">=</span> <span class="p">[]</span><span class="kt">string</span><span class="p">{</span> <span class="s">"python-requests"</span><span class="p">,</span> <span class="s">"python-urllib"</span><span class="p">,</span> <span class="s">"go-http-client"</span><span class="p">,</span> <span class="s">"libwww-perl"</span><span class="p">,</span> <span class="s">"java/"</span><span class="p">,</span> <span class="s">"curl/"</span><span class="p">,</span> <span class="s">"wget/"</span><span class="p">,</span> <span class="s">"sqlmap"</span><span class="p">,</span> <span class="s">"nikto"</span><span class="p">,</span> <span class="s">"masscan"</span><span class="p">,</span> <span class="s">"zgrab"</span><span class="p">,</span> <span class="s">"scrapy"</span><span class="p">,</span> <span class="s">"aiohttp"</span><span class="p">,</span> <span class="s">"httpx"</span><span class="p">,</span> <span class="s">"mechanize"</span><span class="p">,</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">waf</span> <span class="o">*</span><span class="n">WAF</span><span class="p">)</span> <span class="n">inspectHeaders</span><span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">(</span><span class="n">score</span> <span class="kt">int</span><span class="p">,</span> <span class="n">hardBlock</span> <span class="kt">string</span><span class="p">)</span> <span class="p">{</span> <span class="n">ua</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"User-Agent"</span><span class="p">)</span> <span class="k">if</span> <span class="n">ua</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="m">40</span><span class="p">,</span> <span class="s">""</span> <span class="p">}</span> <span class="n">uaLow</span> <span class="o">:=</span> <span class="n">strings</span><span class="o">.</span><span class="n">ToLower</span><span class="p">(</span><span class="n">ua</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">sig</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">automationSignatures</span> <span class="p">{</span> <span class="k">if</span> <span class="n">strings</span><span class="o">.</span><span class="n">Contains</span><span class="p">(</span><span class="n">uaLow</span><span class="p">,</span> <span class="n">sig</span><span class="p">)</span> <span class="p">{</span> <span class="n">score</span> <span class="o">+=</span> <span class="m">30</span> <span class="k">break</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"Accept"</span><span class="p">)</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">score</span> <span class="o">+=</span> <span class="m">15</span> <span class="p">}</span> <span class="c">// POST from a browser almost always carries a Referer</span> <span class="k">if</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span> <span class="o">==</span> <span class="n">http</span><span class="o">.</span><span class="n">MethodPost</span> <span class="o">&amp;&amp;</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"Referer"</span><span class="p">)</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="n">score</span> <span class="o">+=</span> <span class="m">10</span> <span class="p">}</span> <span class="c">// Header injection is a hard block regardless of score</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">values</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span> <span class="p">{</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">v</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">values</span> <span class="p">{</span> <span class="k">if</span> <span class="n">strings</span><span class="o">.</span><span class="n">ContainsAny</span><span class="p">(</span><span class="n">v</span><span class="p">,</span> <span class="s">"</span><span class="se">\r\n</span><span class="s">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="m">0</span><span class="p">,</span> <span class="s">"header injection"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">score</span><span class="p">,</span> <span class="s">""</span> <span class="p">}</span> </code></pre> </div> <p>Header injection is the only hard block at this stage. <code>\r\n</code> in a header value is never legitimate — it can split HTTP responses and poison downstream caches. Everything else is scored and accumulated.</p> <p>We evaluated TLS fingerprinting (JA3) — comparing cipher suite and extension order from the TLS handshake, which browsers expose consistently and scripts don't. Decided against it. It requires TLS termination at the WAF layer or integration with nginx's <code>ssl_fingerprint</code> module, and it's brittle across library versions. The coupling cost wasn't worth it at our traffic volume. Worth revisiting at scale.</p> <p><strong>python-requests/2.28.0: +30. No Accept: +15. No Referer on POST: +10. Score: 95 + 55 = 100 (capped). Continue.</strong></p> <h2> Stage 4: Rule Engine [0.8ms → 1.5ms] </h2> <p>Most expensive stage. Runs last.</p> <p><strong>Pre-compile at startup.</strong> <code>regexp.MustCompile</code> is not free. Calling it per request at 100K req/day is burning CPU for no reason. All patterns compile once on server start, stored as <code>*regexp.Regexp</code> struct fields, reused across every request.</p> <p><strong>Normalize before matching.</strong> Attackers don't send raw <code>OR '1'='1'</code>. They URL-encode it, double-encode it, or split it across fields. A rule engine that only looks at the raw payload misses most real attacks.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">normalize</span><span class="p">(</span><span class="n">input</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">[]</span><span class="kt">byte</span> <span class="p">{</span> <span class="c">// First pass</span> <span class="n">s</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">url</span><span class="o">.</span><span class="n">QueryUnescape</span><span class="p">(</span><span class="kt">string</span><span class="p">(</span><span class="n">input</span><span class="p">))</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">s</span> <span class="o">=</span> <span class="kt">string</span><span class="p">(</span><span class="n">input</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Second pass — catches double-encoding</span> <span class="n">s2</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">url</span><span class="o">.</span><span class="n">QueryUnescape</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">s2</span> <span class="o">=</span> <span class="n">s</span> <span class="p">}</span> <span class="k">return</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">(</span><span class="n">strings</span><span class="o">.</span><span class="n">ToLower</span><span class="p">(</span><span class="n">s2</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>Then the rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Rule</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">ID</span> <span class="kt">string</span> <span class="n">Pattern</span> <span class="o">*</span><span class="n">regexp</span><span class="o">.</span><span class="n">Regexp</span> <span class="n">Severity</span> <span class="kt">int</span> <span class="c">// 1–4; severity 4 = block unconditionally regardless of score</span> <span class="n">Target</span> <span class="n">Target</span> <span class="c">// Body, URL, or both</span> <span class="p">}</span> <span class="c">// Compiled at init() — never at request time</span> <span class="k">var</span> <span class="n">coreRules</span> <span class="o">=</span> <span class="p">[]</span><span class="o">*</span><span class="n">Rule</span><span class="p">{</span> <span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="s">"SQLI-001"</span><span class="p">,</span> <span class="n">Pattern</span><span class="o">:</span> <span class="n">regexp</span><span class="o">.</span><span class="n">MustCompile</span><span class="p">(</span><span class="s">`\bor\b\s+['"]?\w+['"]?\s*=\s*['"]?\w+['"]?`</span><span class="p">),</span> <span class="n">Severity</span><span class="o">:</span> <span class="m">4</span><span class="p">,</span> <span class="n">Target</span><span class="o">:</span> <span class="n">TargetBody</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="s">"SQLI-002"</span><span class="p">,</span> <span class="n">Pattern</span><span class="o">:</span> <span class="n">regexp</span><span class="o">.</span><span class="n">MustCompile</span><span class="p">(</span><span class="s">`(--|#|/\*)`</span><span class="p">),</span> <span class="n">Severity</span><span class="o">:</span> <span class="m">3</span><span class="p">,</span> <span class="n">Target</span><span class="o">:</span> <span class="n">TargetBody</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="s">"SQLI-003"</span><span class="p">,</span> <span class="n">Pattern</span><span class="o">:</span> <span class="n">regexp</span><span class="o">.</span><span class="n">MustCompile</span><span class="p">(</span><span class="s">`\bunion\b.{0,30}\bselect\b`</span><span class="p">),</span> <span class="n">Severity</span><span class="o">:</span> <span class="m">4</span><span class="p">,</span> <span class="n">Target</span><span class="o">:</span> <span class="n">TargetBody</span> <span class="o">|</span> <span class="n">TargetURL</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="s">"XSS-001"</span><span class="p">,</span> <span class="n">Pattern</span><span class="o">:</span> <span class="n">regexp</span><span class="o">.</span><span class="n">MustCompile</span><span class="p">(</span><span class="s">`&lt;script[\s/&gt;]|javascript\s*:`</span><span class="p">),</span> <span class="n">Severity</span><span class="o">:</span> <span class="m">4</span><span class="p">,</span> <span class="n">Target</span><span class="o">:</span> <span class="n">TargetBody</span> <span class="o">|</span> <span class="n">TargetURL</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="s">"PATH-001"</span><span class="p">,</span> <span class="n">Pattern</span><span class="o">:</span> <span class="n">regexp</span><span class="o">.</span><span class="n">MustCompile</span><span class="p">(</span><span class="s">`(\.\.[\\/]){2,}`</span><span class="p">),</span> <span class="n">Severity</span><span class="o">:</span> <span class="m">3</span><span class="p">,</span> <span class="n">Target</span><span class="o">:</span> <span class="n">TargetURL</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="n">ID</span><span class="o">:</span> <span class="s">"CMD-001"</span><span class="p">,</span> <span class="n">Pattern</span><span class="o">:</span> <span class="n">regexp</span><span class="o">.</span><span class="n">MustCompile</span><span class="p">(</span><span class="s">`[;|&amp;]\s*(cat|ls|whoami|id|wget|curl)\b`</span><span class="p">),</span> <span class="n">Severity</span><span class="o">:</span> <span class="m">4</span><span class="p">,</span> <span class="n">Target</span><span class="o">:</span> <span class="n">TargetBody</span> <span class="o">|</span> <span class="n">TargetURL</span><span class="p">,</span> <span class="p">},</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">e</span> <span class="o">*</span><span class="n">RuleEngine</span><span class="p">)</span> <span class="n">Evaluate</span><span class="p">(</span><span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">,</span> <span class="n">body</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">[]</span><span class="o">*</span><span class="n">Match</span> <span class="p">{</span> <span class="n">normBody</span> <span class="o">:=</span> <span class="n">normalize</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="n">normURL</span> <span class="o">:=</span> <span class="n">normalize</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">RawQuery</span> <span class="o">+</span> <span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Path</span><span class="p">))</span> <span class="k">var</span> <span class="n">matches</span> <span class="p">[]</span><span class="o">*</span><span class="n">Match</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">rule</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">e</span><span class="o">.</span><span class="n">rules</span> <span class="p">{</span> <span class="k">var</span> <span class="n">target</span> <span class="p">[]</span><span class="kt">byte</span> <span class="k">if</span> <span class="n">rule</span><span class="o">.</span><span class="n">Target</span><span class="o">&amp;</span><span class="n">TargetBody</span> <span class="o">!=</span> <span class="m">0</span> <span class="p">{</span> <span class="n">target</span> <span class="o">=</span> <span class="n">normBody</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">target</span> <span class="o">=</span> <span class="n">normURL</span> <span class="p">}</span> <span class="k">if</span> <span class="n">loc</span> <span class="o">:=</span> <span class="n">rule</span><span class="o">.</span><span class="n">Pattern</span><span class="o">.</span><span class="n">Find</span><span class="p">(</span><span class="n">target</span><span class="p">);</span> <span class="n">loc</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">matches</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">matches</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">Match</span><span class="p">{</span><span class="n">Rule</span><span class="o">:</span> <span class="n">rule</span><span class="p">,</span> <span class="n">At</span><span class="o">:</span> <span class="n">loc</span><span class="p">})</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">matches</span> <span class="p">}</span> </code></pre> </div> <p>After normalization, the body reads as: <code>{"username":"admin' or '1'='1' --","password":"anything"}</code>.</p> <p>SQLI-001 fires on <code>or '1'='1'</code>. SQLI-002 fires on <code>--</code>. Two matches. SQLI-001 is severity 4. Score is irrelevant — block unconditionally.</p> <h2> Stage 5: Decision [1.5ms → 1.8ms] </h2> <p>Thin layer. Accumulated context in, decision out. Complexity here is where subtle edge cases live and where probing exploits get found.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="p">(</span><span class="n">waf</span> <span class="o">*</span><span class="n">WAF</span><span class="p">)</span> <span class="n">decide</span><span class="p">(</span><span class="n">ctx</span> <span class="o">*</span><span class="n">RequestContext</span><span class="p">)</span> <span class="n">Decision</span> <span class="p">{</span> <span class="c">// Severity-4 match: score doesn't matter</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">m</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Matches</span> <span class="p">{</span> <span class="k">if</span> <span class="n">m</span><span class="o">.</span><span class="n">Rule</span><span class="o">.</span><span class="n">Severity</span> <span class="o">==</span> <span class="m">4</span> <span class="p">{</span> <span class="k">return</span> <span class="n">Decision</span><span class="p">{</span><span class="n">Block</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="n">Code</span><span class="o">:</span> <span class="m">403</span><span class="p">,</span> <span class="n">Reason</span><span class="o">:</span> <span class="n">m</span><span class="o">.</span><span class="n">Rule</span><span class="o">.</span><span class="n">ID</span><span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// High score + any rule match: block</span> <span class="k">if</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Score</span> <span class="o">&gt;=</span> <span class="m">80</span> <span class="o">&amp;&amp;</span> <span class="nb">len</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">Matches</span><span class="p">)</span> <span class="o">&gt;</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="n">Decision</span><span class="p">{</span><span class="n">Block</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="n">Code</span><span class="o">:</span> <span class="m">403</span><span class="p">,</span> <span class="n">Reason</span><span class="o">:</span> <span class="s">"score+rules"</span><span class="p">}</span> <span class="p">}</span> <span class="c">// Rate limited, no rule match: 429, not 403</span> <span class="k">if</span> <span class="n">ctx</span><span class="o">.</span><span class="n">RateLimited</span> <span class="o">&amp;&amp;</span> <span class="nb">len</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">Matches</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="n">Decision</span><span class="p">{</span><span class="n">Block</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="n">Code</span><span class="o">:</span> <span class="m">429</span><span class="p">,</span> <span class="n">Reason</span><span class="o">:</span> <span class="s">"rate-limit"</span><span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">Decision</span><span class="p">{</span><span class="n">Block</span><span class="o">:</span> <span class="no">false</span><span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The 403 vs 429 distinction is operational. Repeated 429s from the same IP often turn out to be misconfigured clients or internal tooling; 403s with rule matches are almost always actual attacks. The alerting pipeline treats them differently, which matters at 2am when you're deciding whether to page someone.</p> <p><strong>Verdict: Block, 403, SQLI-001.</strong></p> <h2> Stage 6: Logging [1.8ms → 2ms] </h2> <p>Response goes out before logging. Logging is I/O. I/O is slow. Those two facts mean the log write cannot touch the response path.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">WAF</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">logCh</span> <span class="k">chan</span> <span class="n">IncidentLog</span> <span class="c">// buffered</span> <span class="p">}</span> <span class="k">func</span> <span class="n">NewWAF</span><span class="p">(</span><span class="n">cfg</span> <span class="n">Config</span><span class="p">)</span> <span class="o">*</span><span class="n">WAF</span> <span class="p">{</span> <span class="n">w</span> <span class="o">:=</span> <span class="o">&amp;</span><span class="n">WAF</span><span class="p">{</span> <span class="n">logCh</span><span class="o">:</span> <span class="nb">make</span><span class="p">(</span><span class="k">chan</span> <span class="n">IncidentLog</span><span class="p">,</span> <span class="m">4096</span><span class="p">),</span> <span class="p">}</span> <span class="k">go</span> <span class="n">w</span><span class="o">.</span><span class="n">logWorker</span><span class="p">()</span> <span class="k">return</span> <span class="n">w</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">waf</span> <span class="o">*</span><span class="n">WAF</span><span class="p">)</span> <span class="n">logWorker</span><span class="p">()</span> <span class="p">{</span> <span class="k">for</span> <span class="n">entry</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">waf</span><span class="o">.</span><span class="n">logCh</span> <span class="p">{</span> <span class="n">waf</span><span class="o">.</span><span class="n">sink</span><span class="o">.</span><span class="n">Write</span><span class="p">(</span><span class="n">entry</span><span class="p">)</span> <span class="c">// JSON to disk + forward to alert pipeline</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">waf</span> <span class="o">*</span><span class="n">WAF</span><span class="p">)</span> <span class="n">block</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">,</span> <span class="n">ctx</span> <span class="o">*</span><span class="n">RequestContext</span><span class="p">,</span> <span class="n">d</span> <span class="n">Decision</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Response first</span> <span class="n">w</span><span class="o">.</span><span class="n">Header</span><span class="p">()</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="s">"Content-Type"</span><span class="p">,</span> <span class="s">"application/json"</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">WriteHeader</span><span class="p">(</span><span class="n">d</span><span class="o">.</span><span class="n">Code</span><span class="p">)</span> <span class="n">w</span><span class="o">.</span><span class="n">Write</span><span class="p">([]</span><span class="kt">byte</span><span class="p">(</span><span class="s">`{"error":"Forbidden"}`</span><span class="p">))</span> <span class="c">// Log asynchronously — non-blocking send</span> <span class="k">select</span> <span class="p">{</span> <span class="k">case</span> <span class="n">waf</span><span class="o">.</span><span class="n">logCh</span> <span class="o">&lt;-</span> <span class="n">IncidentLog</span><span class="p">{</span> <span class="n">Timestamp</span><span class="o">:</span> <span class="n">time</span><span class="o">.</span><span class="n">Now</span><span class="p">()</span><span class="o">.</span><span class="n">UTC</span><span class="p">(),</span> <span class="n">IP</span><span class="o">:</span> <span class="n">ctx</span><span class="o">.</span><span class="n">IP</span><span class="p">,</span> <span class="n">Method</span><span class="o">:</span> <span class="n">r</span><span class="o">.</span><span class="n">Method</span><span class="p">,</span> <span class="n">Path</span><span class="o">:</span> <span class="n">r</span><span class="o">.</span><span class="n">URL</span><span class="o">.</span><span class="n">Path</span><span class="p">,</span> <span class="n">Score</span><span class="o">:</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Score</span><span class="p">,</span> <span class="n">Matches</span><span class="o">:</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Matches</span><span class="p">,</span> <span class="n">RateLimited</span><span class="o">:</span> <span class="n">ctx</span><span class="o">.</span><span class="n">RateLimited</span><span class="p">,</span> <span class="n">Decision</span><span class="o">:</span> <span class="n">d</span><span class="p">,</span> <span class="n">LatencyMs</span><span class="o">:</span> <span class="kt">float64</span><span class="p">(</span><span class="n">time</span><span class="o">.</span><span class="n">Since</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">Start</span><span class="p">)</span><span class="o">.</span><span class="n">Microseconds</span><span class="p">())</span> <span class="o">/</span> <span class="m">1000</span><span class="p">,</span> <span class="p">}</span><span class="o">:</span> <span class="k">default</span><span class="o">:</span> <span class="c">// Channel full — drop the entry, track the drop count separately</span> <span class="n">waf</span><span class="o">.</span><span class="n">metrics</span><span class="o">.</span><span class="n">LogDropped</span><span class="o">.</span><span class="n">Inc</span><span class="p">()</span> <span class="p">}</span> <span class="k">go</span> <span class="n">waf</span><span class="o">.</span><span class="n">reputation</span><span class="o">.</span><span class="n">Increment</span><span class="p">(</span><span class="n">ctx</span><span class="o">.</span><span class="n">IP</span><span class="p">,</span> <span class="m">20</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>The <code>select</code> with <code>default</code> is intentional. If the log channel fills — writer goroutine falling behind, usually disk I/O saturation during a large attack — drop the log entry rather than stall HTTP responses. Track the drop counter as a separate metric and alert on it. In 8 months of production this happened once, during a coordinated multi-client attack that was also saturating the disk writer. Logging should never affect response latency, even under that load.</p> <p>The attacker gets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">403</span> <span class="ne">Forbidden</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="na">{"error"</span><span class="p">:</span><span class="s">"Forbidden"}</span> </code></pre> </div> <p>No indication of which rule fired. Nothing actionable. The less information a 403 carries, the harder the system is to probe.</p> <h2> Production Numbers </h2> <p>At peak (~180 req/s across all clients), the WAF added a median 0.8ms latency to allowed requests. p99: 3.2ms. Blocked requests averaged 1.9ms — they exit earlier in the pipeline. Memory at steady state: ~90MB for the reputation map, rate limiter state, and rule engine combined.</p> <p>Over 8 months: 25% reduction in breach incidents across client websites, 35% faster detection from attack onset to alert. The detection improvement came almost entirely from centralized structured logging — correlating patterns across 50+ clients simultaneously instead of treating each site's logs as a separate silo.</p> <p>Two things I'd rebuild differently. First: MaxMind GeoLite for ASN-level blocking from the start. Maintaining a CIDR list manually is reactive by nature and you're always a step behind. Second: weight rule matches by position in the payload. A pattern found deep inside a multi-part encoded body is more likely to be deliberate evasion than one sitting in a raw field — that distinction should influence severity scoring, and currently it doesn't.</p> <p>Want more deep-dive backend stories?<br> I regularly write about:</p> <p>Go internals and performance<br> backend system design<br> building open-source tools<br> real-world optimization stories<br> Check out my personal site: <a href="https://bhavyyadav25.github.io" rel="noopener noreferrer">https://bhavyyadav25.github.io</a></p> <p>You can also find me on:</p> <p>GitHub: <a href="https://github.com/Bhavyyadav25" rel="noopener noreferrer">https://github.com/Bhavyyadav25</a><br> LinkedIn: <a href="https://linkedin.com/in/yadavbhavy" rel="noopener noreferrer">https://linkedin.com/in/yadavbhavy</a></p> <p><em>Backend engineer. Go, distributed systems, security infrastructure.</em></p> go webdev security backend