Documentation
Complete guide to integrating and using MAF (Model Application Firewall) to secure your applications.
Introduction
MAF is an AI-assisted backend security service that validates every incoming request at the application layer.
In modern web architecture, backend requests cannot be trusted blindly. Traditional WAFs operate at the network edge but often lack context about the application's internal logic or user session state.
MAF solves this by sitting closer to your application logic (or continuously communicating with it), preventing session abuse, device spoofing, malicious payloads, API abuse, automation attacks, and insider misuse.
Key Differentiator: Unlike network WAFs, MAF is application-aware and session-aware, allowing for much more granular and deterministic security decisions.
How MAF Works
High-Level Request Flow
When a request hits your backend (via our middleware or SDK), MAF intercepts it to perform real-time analysis before any business logic is executed.
Why this matters: Traditional network WAFs suffer from "Parsing Discrepancies."
As detailed in WAFFLED (2025), attackers can bypass WAFs by mutating requests (e.g., adding \x00 null bytes or altering multipart boundaries) so the WAF ignores them, but the backend parses them.
MAF runs inside or beside your application logic, ensuring it sees exactly what your application sees, eliminating this gap.
- Signal Extraction: We extract high-fidelity signals from the request metadata, headers, device fingerprint, and behavioral patterns.
- Session Validation: Depending on configuration, we validate the continuity of the session against known history.
- Risk Scoring: A deterministic score is calculated based on active rules. If the score exceeds a threshold, AI agents can be optionally engaged for deeper analysis.
- Enforcement: MAF returns a decision:
ALLOW,BLOCK, orDROP_SESSION.
The architecture is rules-first, AI-optional. This ensures millisecond-latency for 99% of requests, with AI only stepping in for high-risk anomalies.
Core Features
Session Continuity Validation
Prevents session hijacking by analyzing token usage patterns and device consistency. Powered by behavioral biometrics (see References).
Device Spoofing Detection
Identifies mismatched signatures between the user agent, network signals, and historical device fingerprints.
Malicious Payload Detection
Scans bodies and params for SQLi, XSS, and other common attack vectors before they reach your DB.
API Abuse Protection
Rate limiting and pattern recognition to stop automation attacks and scrapers.
Real-time Enforcement
Decisions are made in real-time. You can configure responses to simply log (Monitor Mode) or actively block threats. All decisions are replayable and explainable via the dashboard.
Architecture Overview
MAF is designed to be unobtrusive yet powerful. The system consists of three main components:
- Middleware / SDK: Sits in your API service (e.g., Express, Fastify, Next.js). It forwards metadata to the MAF Engine.
- MAF Engine: The core decision maker. Uses Redis for hot session state and fast rule lookups.
- Audit Layer: Postgres stores detailed logs for every request. An optional Blockchain Anchor service provides immutable proof of logs for compliance.
Note: The AI Adapter is an isolated service that is only invoked when deterministic rules flag a potential, but unconfirmed, threat.
Quick Start
Installation
npm install mafaiIntegration Overview
We prioritize a developer-friendly integration process. Currently, we support Node.js environments with first-party middleware for common frameworks.
const express = require('express');
const { mafaiExpress } = require('mafai');
const app = express();
app.use(express.json());
app.use(mafaiExpress({
apiKey: "YOUR_MAF_APP_KEY",
engineUrl: "http://your-engine-ip:3001/evaluate"
}));Typical rollout strategy:
- Day 1: Integrate Monitor Mode. No user impact.
- Day 2-3: Tune rules based on dashboard insights.
- Day 4: Switch to Block Mode for high-confidence rules.
Enforcement Modes
MAF operates in one of three modes, configurable per-environment or per-route.
1. Monitor Mode
All requests are allowed. Threats are logged asynchronously. Perfect for initial setup and debugging.
2. Block Mode
High-risk requests are blocked immediately with a 403 Forbidden or 401 Unauthorized response.
3. Session Drop Mode
For severe violations (e.g., confirmed session hijacking), the session is invalidated globally, forcing re-authentication.
Developer Dashboard
The dashboard is a standalone application that runs on a separate port (local dev) or hosted cloud URL (prod).
- Live Feed: Watch requests come in real-time with risk scores.
- Attack Replay: Re-run a past request against current rules to see if it would still be blocked.
- Forensics: Deep dive into specific blocked requests to see exactly why they were flagged (e.g., "User Agent mismatch + High Velocity").
Security & Privacy
No Raw Secrets
MAF creates hashes of sensitive data (like passwords or PII) before they leave your infrastructure. We never store raw secrets.
We offer On-Prem / Self-Host support for enterprise requirements, ensuring data never leaves your VPC.
Our audit trails are compliance-ready, suitable for SOC2 and ISO27001 requirements.
Research References
MAF's architecture is built upon cutting-edge research in web security and behavioral analysis. We actively monitor academic developments to ensure our defenses stay ahead of novel evasion techniques.
WAFFLED: Exploiting Parsing Discrepancies to Bypass WAFs
This paper reveals over 1200 unique evasion techniques that bypass top WAFs (Cloudflare, AWS, Azure) by exploiting parsing mismatches between the firewall and the application backend. MAF's application-layer design inherently eliminates this entire class of vulnerability.
AI-Powered Behavioral Biometrics for Continuous Authentication
Foundational research for our Session Continuity engine. Explores the use of deep learning to analyze user behavior (keystrokes, mouse movements, gyroscope data) to detect session hijacking with 98%+ accuracy without interrupting the user.