NeXuS

WAF & Rate Limiting

NeXuS implements web application firewall protection at both the edge (Cloudflare) and application level.

Defense-in-Depth

Layer 1: Cloudflare Edge WAF

Cloudflare provides automatic protection against:

• SQL injection
• Cross-site scripting (XSS)
• DDoS attacks (L3/L4/L7)
• Known bot patterns
• OWASP Top 10 threats

Layer 2: Application WAF (nexus-waf)

The WAF service runs on port 7003 and provides:

• Request inspection and filtering
• Custom rule-based blocking
• Application-specific threat detection

Layer 3: Service-Level Rate Limiting

The Auth Service implements per-IP rate limiting:

20 requests per 15 minutes on /auth/* endpoints

This prevents credential stuffing and brute-force login attacks.

Rate Limiting Details

Endpoint	Window	Max Requests	Response
/auth/*	15 minutes	20 per IP	429 Too Many Requests

When the limit is exceeded:

{
  "error": "Too many attempts, try again later"
}

CORS Policy

All services enforce CORS with strict origin policies:

cors({
  origin: ['https://nexus.sebhosting.com', 'http://localhost:3000'],
  credentials: true,
})

MCP Security

The MCP server validates container names to prevent command injection:

function safeContainerName(name: string): string {
  if (!/^[a-zA-Z0-9_-]+$/.test(name))
    throw new Error(`Invalid container name: ${name}`)
  return name
}

All Docker commands use execSync with validated inputs and a 15-second timeout.

This site is open source. Improve this page.