DDoS Protection

EdgeWrap's DDoS shield monitors request volumes per IP and project. Violating requests are challenged with a JavaScript proof-of-work validation or blocked outright.

How It Works

The DDoS protection engine maintains high-speed sliding-window rate counters at the edge. If the request rate from an IP address exceeds your configured threshold, the gateway takes immediate action:

DDoS Shield Mitigation Flow
Incoming Request
  │
  ▼
DDoS Engine checks rate:
  │
  ├── Current Rate < Threshold  →  ALLOW (Request forwarded to origin)
  └── Current Rate >= Threshold
       ├── Mode = "challenge"   →  403 Forbidden with JavaScript challenge
       └── Mode = "block"       →  429 Too Many Requests
  │
  ▼
Clearance token issued automatically once challenge is solved

Dashboard Setup & Configuration

Configure the DDoS Shield settings in the EdgeWrap Dashboard:

  1. Navigate to your project in the dashboard at https://app.edgewrap.pro.
  2. Go to the Security page and select the DDoS Protection tab.
  3. Toggle the DDoS Shield switch to Enabled.
  4. Configure the rate limiting thresholds (requests per second and sliding window size).
  5. Choose the challenge mode (JavaScript challenge, managed challenge, captcha, or hard block).
  6. Define any IP or country whitelists that should bypass DDoS mitigation checks entirely.

API Configuration

Alternatively, you can manage the DDoS configuration programmatically:

ParamTypeDescription
requestsPerSecondThresholdintegerPer-IP RPS threshold before triggering the shield.(default: plan limit)
uniqueIpsPerMinuteThresholdintegerLimit on the number of unique IP addresses per minute.(default: 1000)
adaptiveEnabledbooleanEnables anomaly-based adaptive rate limiting.(default: false)
challengeModejs_challenge | captcha | blockAction when threshold is exceeded. 'js_challenge' resolves in-browser; 'block' rejects immediately.(default: js_challenge)
challengeDurationSecintegerClearance token validity duration in seconds after solving a challenge.(default: 3600)
Update DDoS configuration via API
curl -X PATCH https://server.edgewrap.pro/v1/projects/prj_abc123/ddos/config \
  -H "Authorization: Bearer <your_session_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "requestsPerSecondThreshold": 200,
    "challengeMode": "js_challenge",
    "challengeDurationSec": 7200
  }'

Mitigation Capabilities by Plan

PlanDefault Throttling Threshold
Free50 requests/sec
Starter500 requests/sec
Pro2,000 requests/sec
Team10,000 requests/sec
EnterpriseCustomizable / Unlimited
Tip: In js_challenge mode, client browsers solve the proof-of-work validation transparently in the background. Automated scrapers and curl clients that cannot execute JavaScript will fail the challenge and remain blocked.

Per-Key Rate Limiting & Caps

Separate from the DDoS shield, EdgeWrap applies rate limiting on a per-API-key basis. The gateway enforces the daily and minute-level caps configured for individual keys under the **API Keys** section of the dashboard.