UUSEC WAF

UUSEC WAF is a web application firewall (WAF) and API security gateway (WAAP) developed by UUSEC Technology, available as open-source software under the BSD 2-Clause license. It operates as a cloud WAF reverse proxy and delivers three-layer defense covering the traffic layer, system layer, and application runtime layer. The project is hosted on GitHub and, according to the repository, reached v7.2.1 as of May 2026.

What It Is

UUSEC WAF is a self-hosted, reverse-proxy WAF that sits in front of web applications and APIs to detect and block attacks including SQL injection, XSS, RCE, LFI, HTTP flood, and zero-day exploits. It is built on nginx and LuaJIT, deployed via Docker, and managed through a browser-based admin interface. The product targets security administrators and website operators who need enterprise-grade protection without relying on a cloud SaaS vendor.

Three-Layer Defense Architecture

The product's headline differentiator is its three-layer defense model:

• Traffic layer: Semantic analysis engines for SQL, XSS, RCE, and LFI, combined with deep decoding (base64, JSON, form data) to resist WAF bypass techniques.
• System layer (HIPS): Host Intrusion Prevention System that intercepts low-level attacks at the kernel layer, including process network communication restrictions, file read/write controls, privilege escalation blocking, and overflow attack prevention.
• Runtime layer (RASP): Runtime Application Self-Protection inserted into Java JVM and PHP Zend engines to track runtime context and block web zero-day exploits from within the application.

AI and Semantic Detection Engines

UUSEC WAF applies machine learning anomaly detection to distinguish normal HTTP traffic from attack traffic. The system automatically learns parameter characteristics of normal traffic and builds whitelist rule libraries, enabling zero-day interception without manual rule updates. The vendor publishes an internal benchmark comparing detection rates across 33,669 samples, claiming the Pro edition achieves 98.97% detection with a 0.01% false positive rate, versus 69.74% detection and 17.58% false positives for ModSecurity Level 1.

Advanced Rule and Plugin Engine

Beyond built-in detection, UUSEC WAF exposes a Lua script rule engine that allows advanced administrators to write custom vulnerability protection rules and plugins. Rules published in the management backend take effect immediately without restarting the service. The vendor states this flexibility exceeds most free WAF products including ModSecurity. The CDN acceleration module includes a self-developed cache purge feature supporting regular expression URL path matching, which the vendor claims surpasses the commercial nginx proxy_cache_purge module.

Deployment and Setup

Installation requires Docker CE 20.10.14+ and Docker Compose 2.0.0+, and is completed via a single shell command. The WAF runs on Linux x86_64 and uses ports 80 and 443 by default in reverse proxy mode. The management interface is accessible at https://ip:4443. Setup involves adding sites, uploading SSL certificates (or requesting Let's Encrypt certificates automatically), and updating DNS A records to point to the WAF server.

Update: v7.2.1

The latest release is v7.2.1, published on May 16, 2026. The repository was last pushed on May 19, 2026, indicating active development. The project has accumulated over 1,600 GitHub stars and 163 forks since its creation in September 2022, with 81 open issues at the time of data collection.