security

Cloudflare's Pingora 0.7 ships connection-level filtering, extensible TLS context, and the security fixes we were carrying in a fork. Sentinel now runs on upstream Pingora with zero patches — here's what changed and what it unlocks.

Release 26.02 adds supply chain security to every Sentinel release — cosign signatures, SLSA provenance, and SBOMs in CycloneDX and SPDX formats. Here's what we built, why it matters, and how to verify your deployment in 30 seconds.

SPIFFE/SPIRE workload identity authentication agent for zero-trust service-to-service communication.

IP threat intelligence with AbuseIPDB integration, file-based blocklists, and Tor exit node detection.

Token bucket rate limiting with configurable windows and limits per route, IP, or custom keys.

SOAP-specific security controls including envelope validation, WS-Security verification, operation control, and XXE prevention.

Multi-language policy evaluation agent supporting Cedar and Rego/OPA for fine-grained authorization decisions.

Structured audit logging agent with PII redaction, multiple formats (JSON, CEF, LEEF), and compliance templates for SOC2, HIPAA, PCI, and GDPR.

Security analysis for WebSocket frames: content filtering, schema validation, and attack detection for real-time connections.

Comprehensive security controls for gRPC services: method authorization, rate limiting, metadata inspection, and reflection control.

Pattern-based security for AI APIs: prompt injection detection, jailbreak prevention, PII detection, and schema validation for LLM traffic.

Authentication and authorization agent supporting JWT, OIDC, API keys, Basic auth, SAML SSO, mTLS, Cedar policies, and token exchange.

Full OWASP Core Rule Set (CRS) support via libmodsecurity with 800+ detection rules.

Pure Rust WAF with 285 detection rules, anomaly scoring, API security, schema validation, bot protection, and n-gram based payload analysis.

Comprehensive bot detection with multi-signal analysis, known bot verification, and behavioral tracking.

Pure Rust ModSecurity-compatible WAF with full OWASP CRS support - no C dependencies required.

IoT protocol security for MQTT: topic-based ACLs, client authentication, payload inspection, rate limiting, and QoS enforcement.

Block requests based on IP addresses, CIDR ranges, or custom patterns with real-time updates.

PII protection agent with reversible tokenization, format-preserving encryption, and pattern-based masking for JSON, XML, and form data.

Malware scanning agent using ClamAV daemon for file upload protection

GraphQL-specific security controls including query depth limiting, complexity analysis, introspection control, and field-level authorization.