> ## Documentation Index
> Fetch the complete documentation index at: https://docs.typeauth.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> Implement  API security with TypeAuth's WAF and geoblocking features. Protect against common vulnerabilities and geographic-based threats.

TypeAuth provides robust security features to protect your applications from various threats. Our security suite includes a Web Application Firewall (WAF) and Geoblocking capabilities, helping you maintain a strong security posture.

## Web Application Firewall (WAF)

TypeAuth's WAF provides protection against common web vulnerabilities and attacks through a comprehensive rule set.

### Overview

The WAF includes:

* OWASP Core Rule Set integration
* TypeAuth managed security rules
* Real-time threat detection and blocking
* Low false-positive rate

### Key Protections

Our WAF protects against:

* SQL Injection attacks
* Cross-Site Scripting (XSS)
* Remote Code Execution
* Local File Inclusion
* Remote File Inclusion
* HTTP Protocol Violations
* Common Web Attacks

### Configuration

#### Via Dashboard

1. Navigate to Security
2. Select "Application Security"
3. Toggle WAF status (Enable/Disable)

#### [Via API](https://docs.typeauth.com/api-reference/security)

```http theme={null}
PATCH /{account_id}/security/waf/{application_id}?status=enable
```

### OWASP Rules

TypeAuth implements the OWASP Core Rule Set, which provides:

* Protocol violation checks
* Request limits
* HTTP policy enforcement
* Bad robots detection
* Security scanner detection

## Geoblocking

Control access to your applications based on geographic regions.

### Available Regions

TypeAuth offers predefined region configurations:

* 🌎 US (United States)
* 🇪🇺 EU (European Union)
* 🇮🇳 IN (India)
* 🌐 US and EU combined
* 🦘 AU (Australia)
* 🇩🇪 GE (Germany)
* 🔒 TOR and Open Proxies

### Configuration

#### Via Dashboard

1. Navigate to Application Settings
2. Select "Geoblocking"
3. Choose allowed regions
4. Save configuration

#### [Via API](https://docs.typeauth.com/api-reference/security)

```http theme={null}
PATCH /{account_id}/security/geoblock/{application_id}?area=US

```

### Behavior

* Only traffic from selected regions will be allowed
* All other traffic will be blocked with a 403 Forbidden response
* IP geolocation is performed at the edge for minimal latency

<Note>If you select "TOR and Open Proxies" TypeAuth will block traffic from those regions</Note>

## Security Best Practices

### 1. WAF Implementation

✅ **Always Keep WAF Enabled**

* The WAF is your first line of defense
* Protects against known vulnerabilities
* Regular updates with new security rules

❌ **Risks of Disabled WAF**

* Exposure to common attack vectors
* Increased vulnerability to zero-day exploits
* No protection against automated attacks

### 2. Geoblocking Strategy

Consider these factors when configuring geoblocking:

* Your user base location
* Compliance requirements
* Business operations regions
* Known threat origins

### 3. Monitoring and Alerts

Monitor security events through:

* TypeAuth Map Hiys
* Security Event logs
* Traffic analytics

## Implementation Guide

### 1. Basic Security Setup

```http theme={null}
POST /api/v1/applications/{application_id}/security/basic
Content-Type: application/json

{
  "waf_enabled": true,
  "geoblocking": {
    "enabled": true,
    "allowed_regions": ["US", "EU"]
  }
}
```

## Response Codes

| Code | Description       | Cause                             |
| ---- | ----------------- | --------------------------------- |
| 403  | Forbidden         | Geoblocking or WAF rule triggered |
| 429  | Too Many Requests | Rate limit exceeded               |

## Recommendations

1. **Always-On Security**
   * Keep WAF enabled
   * Configure appropriate geoblocking
   * Monitor security events

2. **Regular Reviews**
   * Check security logs
   * Review blocked traffic
   * Update regional restrictions

3. **Incident Response**
   * Monitor security alerts
   * Document security events
   * Update security policies

## Limitations

* Maximum of 10 custom WAF rules per application
* Geoblocking limited to predefined regions
* WAF rule updates may take up to 5 minutes to propagate

<Tip>If you need to a region that is not in the list, please send and email to [pablo@typeauth.com](mailto:pablo@typeauth.com)</Tip>

## Future Security Features

We are continuously working to enhance our security features. Upcoming additions will include:

* Custom WAF rules
* Advanced threat analytics

## Need Help?

For security-related questions or assistance, please contact our security team or refer to our detailed security documentation.