Request Pipeline
Every request entering EdgeWrap passes through a deterministic, 15-step processing pipeline. Each step can short-circuit with an early response — any remaining steps are skipped.
Pipeline Steps
Subdomain / Domain Rewrite
Detects whether the request arrived via a custom domain or subdomain pattern (e.g. slug-id6.edgewrap.pro). Extracts the project slug and rewrites the URL path for routing.
API Key Extraction & Validation
Reads x-api-key from request headers. SHA-256 hashes the key and looks up the project context in the fast local cache with database fallback. Validates the key is active and not expired.
Platform Restriction Check
Validates the request origin (Referer or client platform headers) against the API key's allowed platforms (web, mobile, desktop, server). Server keys also verify x-api-secret.
Quota Check
Evaluates the three-tier quota bucket: Free → Plan → PAYG. Reads real-time counters from the edge database cache. If the PAYG spend cap is breached, the request is blocked.
DDoS Shield
Checks the client IP against a high-speed sliding-window rate counter at the edge. If RPS exceeds the plan threshold within the configured window, the request is challenged or blocked.
WAF Evaluation
Runs OWASP rule sets against the request (SQL injection, XSS, RCE, LFI, scanner detection). Checks IP/country/user-agent blocklists. On Pro+ runs AI anomaly detection and prompt injection shield.
Bot & Fraud Detection
Evaluates behavioural signals (headless browser fingerprints, challenge results, request cadence) to assign a bot score (0–100). Requests above the configured threshold are blocked.
Secret Shield (Request)
Scans request body and headers for PII, API keys, and secrets using regex patterns. Detected secrets are redacted before forwarding to origin. A violation event is logged.
Cache Lookup
Computes the cache key and queries the edge cache. Returns a HIT immediately. On MISS, checks stale-while-revalidate window. Bypasses cache for non-GET methods, bypass rules, or bypass headers.
Origin Selection
Selects the target origin URL. Checks geo-residency rules first, then load-balancer pool (if configured), then falls back to the project's default originUrl.
Circuit Breaker Check
Queries the circuit breaker state for the selected origin. If OPEN, checks for a stale cache response to serve. If no stale response is available, returns 503.
Auto-Healer Fetch
Executes the origin request with retry logic and failover. On timeout or 5xx, retries up to maxRetries times with exponential backoff. Updates circuit breaker status on failure.
Secret Shield (Response)
Scans response body for secrets and PII. Redacts matches before forwarding to client. Also applies GDPR data masking rules if configured.
Cache Write
Writes the response to edge cache with the computed TTL. Applies stale-while-revalidate metadata. Cache write is asynchronous and does not delay the response.
Analytics Queue Emission
Asynchronously logs a structured analytics event containing request metadata, latency, cache status, WAF result, bot score, and billing bucket classification.
Async Operations
Several pipeline steps run after the response is sent to the client. This keeps the critical path fast while still performing necessary work.
| Operation | Timing |
|---|---|
| Cache write (Step 14) | After response sent |
| Analytics log ingestion (Step 15) | After response sent |
| Request replay storage | After response sent |
| AI insights analysis | After response sent |
| Circuit breaker state update | After response sent |
| Origin health check (background loop) | Every 60 seconds |
| PAYG metering | Every hour |
| Usage reset | 1st of every month |