DDoS Protection
EdgeWrap's DDoS shield monitors request volumes per IP and project. Violating requests are challenged with a JavaScript proof-of-work validation or blocked outright.
How It Works
The DDoS protection engine maintains high-speed sliding-window rate counters at the edge. If the request rate from an IP address exceeds your configured threshold, the gateway takes immediate action:
DDoS Shield Mitigation Flow
Incoming Request
│
▼
DDoS Engine checks rate:
│
├── Current Rate < Threshold → ALLOW (Request forwarded to origin)
└── Current Rate >= Threshold
├── Mode = "challenge" → 403 Forbidden with JavaScript challenge
└── Mode = "block" → 429 Too Many Requests
│
▼
Clearance token issued automatically once challenge is solvedDashboard Setup & Configuration
Configure the DDoS Shield settings in the EdgeWrap Dashboard:
- Navigate to your project in the dashboard at
https://app.edgewrap.pro. - Go to the Security page and select the DDoS Protection tab.
- Toggle the DDoS Shield switch to Enabled.
- Configure the rate limiting thresholds (requests per second and sliding window size).
- Choose the challenge mode (JavaScript challenge, managed challenge, captcha, or hard block).
- Define any IP or country whitelists that should bypass DDoS mitigation checks entirely.
API Configuration
Alternatively, you can manage the DDoS configuration programmatically:
| Param | Type | Description |
|---|---|---|
| requestsPerSecondThreshold | integer | Per-IP RPS threshold before triggering the shield.(default: plan limit) |
| uniqueIpsPerMinuteThreshold | integer | Limit on the number of unique IP addresses per minute.(default: 1000) |
| adaptiveEnabled | boolean | Enables anomaly-based adaptive rate limiting.(default: false) |
| challengeMode | js_challenge | captcha | block | Action when threshold is exceeded. 'js_challenge' resolves in-browser; 'block' rejects immediately.(default: js_challenge) |
| challengeDurationSec | integer | Clearance token validity duration in seconds after solving a challenge.(default: 3600) |
Update DDoS configuration via API
curl -X PATCH https://server.edgewrap.pro/v1/projects/prj_abc123/ddos/config \
-H "Authorization: Bearer <your_session_token>" \
-H "Content-Type: application/json" \
-d '{
"requestsPerSecondThreshold": 200,
"challengeMode": "js_challenge",
"challengeDurationSec": 7200
}'Mitigation Capabilities by Plan
| Plan | Default Throttling Threshold |
|---|---|
| Free | 50 requests/sec |
| Starter | 500 requests/sec |
| Pro | 2,000 requests/sec |
| Team | 10,000 requests/sec |
| Enterprise | Customizable / Unlimited |
Tip: In
js_challenge mode, client browsers solve the proof-of-work validation transparently in the background. Automated scrapers and curl clients that cannot execute JavaScript will fail the challenge and remain blocked.Per-Key Rate Limiting & Caps
Separate from the DDoS shield, EdgeWrap applies rate limiting on a per-API-key basis. The gateway enforces the daily and minute-level caps configured for individual keys under the **API Keys** section of the dashboard.