security

Cloudflare's Pingora 0.7 ships connection-level filtering, extensible TLS context, and the security fixes we were carrying in a fork. Zentinel now runs on upstream Pingora with zero patches — here's what changed and what it unlocks.

Release 26.02 adds supply chain security to every Zentinel release — cosign signatures, SLSA provenance, and SBOMs in CycloneDX and SPDX formats. Here's what we built, why it matters, and how to verify your deployment in 30 seconds.

Pattern-based security for AI APIs: prompt injection detection, jailbreak prevention, PII detection, and schema validation for LLM traffic.

Structured audit logging agent with PII redaction, multiple formats (JSON, CEF, LEEF), and compliance templates for SOC2, HIPAA, PCI, and GDPR.

Authentication and authorization agent supporting JWT, OIDC, API keys, Basic auth, SAML SSO, mTLS, Cedar policies, and token exchange.

Comprehensive bot detection with multi-signal analysis, known bot verification, and behavioral tracking.

Malware scanning agent using ClamAV daemon for file upload protection

PII protection agent with reversible tokenization, format-preserving encryption, and pattern-based masking for JSON, XML, and form data.

Block requests based on IP addresses, CIDR ranges, or custom patterns with real-time updates.

GraphQL-specific security controls including query depth limiting, complexity analysis, introspection control, and field-level authorization.

Comprehensive security controls for gRPC services: method authorization, rate limiting, metadata inspection, and reflection control.

IP threat intelligence with AbuseIPDB integration, file-based blocklists, and Tor exit node detection.

Full OWASP Core Rule Set (CRS) support via libmodsecurity with 800+ detection rules.

IoT protocol security for MQTT: topic-based ACLs, client authentication, payload inspection, rate limiting, and QoS enforcement.

Multi-language policy evaluation agent supporting Cedar and Rego/OPA for fine-grained authorization decisions.

Token bucket rate limiting with configurable windows and limits per route, IP, or custom keys.

SOAP-specific security controls including envelope validation, WS-Security verification, operation control, and XXE prevention.

SPIFFE/SPIRE workload identity authentication agent for zero-trust service-to-service communication.

Pure Rust WAF with 285 detection rules, anomaly scoring, API security, schema validation, bot protection, and n-gram based payload analysis.

Security analysis for WebSocket frames: content filtering, schema validation, and attack detection for real-time connections.

Pure Rust ModSecurity-compatible WAF with full OWASP CRS support - no C dependencies required.