Security
Defense in depth, built in.
bext protects your workloads from the first request — WAF, TLS, plugin isolation, and hardened headers, with no third-party appliance or service.
Reporting Vulnerabilities
Warning
Do not open public GitHub issues for security vulnerabilities. Email security@bext.dev with details.
We aim to respond within 48 hours and provide a fix within 7 days for critical issues.
Built-in Security Features
WAF
SQLi/XSS detection, IP filtering, geo-blocking, bot protection
TLS
Auto-ACME, HSTS, OCSP stapling
Plugin Sandbox
WASM, QuickJS, nsjail isolation tiers
SSRF Prevention
Built-in safeguards for server actions
Rate Limiting
Token bucket per-IP rate limiting
Security Headers
bext sets these headers by default on all responses:
Strict-Transport-SecurityX-Content-Type-Options: nosniffX-Frame-Options: DENYReferrer-Policy: strict-origin-when-cross-origin