Request Pipeline

Every request entering EdgeWrap passes through a deterministic, 15-step processing pipeline. Each step can short-circuit with an early response — any remaining steps are skipped.

Pipeline Steps

1

Subdomain / Domain Rewrite

Detects whether the request arrived via a custom domain or subdomain pattern (e.g. slug-id6.edgewrap.pro). Extracts the project slug and rewrites the URL path for routing.

2

API Key Extraction & Validation

Reads x-api-key from request headers. SHA-256 hashes the key and looks up the project context in the fast local cache with database fallback. Validates the key is active and not expired.

Early exit: 401 Missing API key / 401 Invalid or revoked API key
3

Platform Restriction Check

Validates the request origin (Referer or client platform headers) against the API key's allowed platforms (web, mobile, desktop, server). Server keys also verify x-api-secret.

Early exit: 403 Platform not allowed for this API key
4

Quota Check

Evaluates the three-tier quota bucket: Free → Plan → PAYG. Reads real-time counters from the edge database cache. If the PAYG spend cap is breached, the request is blocked.

Early exit: 429 Free quota exhausted / 429 Monthly quota exceeded / 429 PAYG spend cap reached
5

DDoS Shield

Checks the client IP against a high-speed sliding-window rate counter at the edge. If RPS exceeds the plan threshold within the configured window, the request is challenged or blocked.

Early exit: 429 Too Many Requests / 403 Challenge required
6

WAF Evaluation

Runs OWASP rule sets against the request (SQL injection, XSS, RCE, LFI, scanner detection). Checks IP/country/user-agent blocklists. On Pro+ runs AI anomaly detection and prompt injection shield.

Early exit: 403 WAF: Request blocked
7

Bot & Fraud Detection

Evaluates behavioural signals (headless browser fingerprints, challenge results, request cadence) to assign a bot score (0–100). Requests above the configured threshold are blocked.

Early exit: 403 Bot detected
8

Secret Shield (Request)

Scans request body and headers for PII, API keys, and secrets using regex patterns. Detected secrets are redacted before forwarding to origin. A violation event is logged.

9

Cache Lookup

Computes the cache key and queries the edge cache. Returns a HIT immediately. On MISS, checks stale-while-revalidate window. Bypasses cache for non-GET methods, bypass rules, or bypass headers.

Early exit: 200 (cache HIT — request ends here)
10

Origin Selection

Selects the target origin URL. Checks geo-residency rules first, then load-balancer pool (if configured), then falls back to the project's default originUrl.

11

Circuit Breaker Check

Queries the circuit breaker state for the selected origin. If OPEN, checks for a stale cache response to serve. If no stale response is available, returns 503.

Early exit: 503 Origin unavailable (circuit OPEN, no stale cache)
12

Auto-Healer Fetch

Executes the origin request with retry logic and failover. On timeout or 5xx, retries up to maxRetries times with exponential backoff. Updates circuit breaker status on failure.

Early exit: 502 Bad gateway (all retries exhausted)
13

Secret Shield (Response)

Scans response body for secrets and PII. Redacts matches before forwarding to client. Also applies GDPR data masking rules if configured.

14

Cache Write

Writes the response to edge cache with the computed TTL. Applies stale-while-revalidate metadata. Cache write is asynchronous and does not delay the response.

15

Analytics Queue Emission

Asynchronously logs a structured analytics event containing request metadata, latency, cache status, WAF result, bot score, and billing bucket classification.

Async Operations

Several pipeline steps run after the response is sent to the client. This keeps the critical path fast while still performing necessary work.

OperationTiming
Cache write (Step 14)After response sent
Analytics log ingestion (Step 15)After response sent
Request replay storageAfter response sent
AI insights analysisAfter response sent
Circuit breaker state updateAfter response sent
Origin health check (background loop)Every 60 seconds
PAYG meteringEvery hour
Usage reset1st of every month
Tip: The use of asynchronous edge tasks means analytics, cache writes, and AI processing never add latency to the critical path. Your clients see the response the moment the origin replies (or the cache is hit).