Guarding Your Code: The Rise of Mamoru-WAF

february 25, 2026

Discover how Mamoru-kun, a lightweight Go-based guardian, brings enterprise-grade security and a stunning TUI to your hobby projects.

software-engineering · golang · security · cybersecurity · open-source

Guarding Your Code: The Rise of Mamoru-WAF

"Security shouldn't be a luxury for hobbyists, but big tech definitely thinks it should be."

Hot take: if configuring your WAF requires a 40-page enterprise PDF, an external Redis cluster for rate limiting, and a dedicated DevOps engineer crying in a corner — it was never built for you. It was built for a $2M-budget enterprise with annual compliance audits. You are a solo dev building a Next.js side project. Different audience. Different budget.

Unfortunately, the exact same bots are currently probing your API for SQL injection vulnerabilities.

The WAF market looked at hobbyists and basically went: "figure it out or go unprotected, also that'll be $200/month." Cool. Incredibly thoughtful of them.

Enter Mamoru-WAF. Built in Go. Single binary. Zero external dependencies. Running in 60 seconds. If sqlmap is currently scanning your side project right now, there is genuinely no excuse left after this post.

Mamoru-kun Mascot

Who Asked for Enterprise WAFs? (Not You)

Let's price this out real quick:

  • Cloudflare WAF: $200/month before you even look at the features list.
  • AWS WAF: Charged per rule, per request, per configuration change. You basically pay them every time someone tries to hack you. Great business model.
  • ModSecurity with Apache: Free! Just enjoy reading the 300-page documentation while configuring your regex rules manually.

Mamoru-WAF: go build -o mamoru ./cmd/server. Done. You're protected.

No Redis required. No Postgres database spanning three Availability Zones just to store some logs. No YAML config that reads like a legally binding contract. Just Go, a rules.yaml you can understand while exhausted, and Mamoru-kun — who is definitively more invested in your security posture than whatever SaaS tool you're currently ignoring emails from.

The Part Where It Does Real Security

Nobody:
Enterprise WAF vendors: "Have you completed our 14-step onboarding wizard and talked to Sales?"

Here's what's actually running under the hood in Mamoru (and yes, it actually protects against the OWASP Top 10):

  • Regex Pattern Matching: Catches SQLi (union, select, drop, sleep), XSS (<script>, onerror=), and path traversal (../) before your backend even knows a request happened.
  • Token-Bucket Rate Limiting: Per-IP, per-path, configurable globally. Your poorly optimized /api/login endpoint will not survive 500 requests per second anymore. Good. Let the bots hit the WAF firewall instead.
  • Body Inspection: POST request bodies get the full treatment. Your "contact us" form cannot be an attack vector anymore.

The AtomicEngine handles hot reload. You can literally edit rules.yaml live, and the updates apply in 2 seconds without dropping any active connections. Realtime security config changes on a hobby budget. Completely unhinged in the best way possible.

go 
// The Rule interface: Simple, powerful, and modular.
type Rule interface {
    Name() string
    Evaluate(r *http.Request) (blocked bool, reason string)
}
// You can literally write your own rule in 5 lines of Go. Try doing that in AWS WAF without a PhD.
// The Rule interface: Simple, powerful, and modular.
type Rule interface {
    Name() string
    Evaluate(r *http.Request) (blocked bool, reason string)
}
// You can literally write your own rule in 5 lines of Go. Try doing that in AWS WAF without a PhD.

The Part Nobody Expected: A Gorgeous TUI

Have you ever looked at a WAF log? It's a wall of scrolling, unreadable JSON that actively hurts your eyes. So I fixed that too.

Nobody asked for a WAF with a Catppuccin sage-green terminal dashboard. Nobody asked, and yet I built it, and it absolutely slaps. Built with Bubble Tea, the TUI is a real command center:

FeatureWhat It Actually Does
Live Event LogBlocked requests hit the screen in real-time with reason, IP, and timestamp. You see exactly who is trying to hack you.
Backend HealthYour proxied services — are they alive? This panel actually has the answer.
Interactive Hotkeysr to reload rules live. d to toggle detect mode. q when you've seen enough and want to go sleep.

Mamoru Banner

The Hot Take Conclusion

Your side project with 50 daily active users still gets bot-scanned. "I'm just a hobby project" is not a valid threat model.

You do not need a $200/month enterprise subscription. You need a single Go binary, a YAML file, and 60 seconds of your time.

  • Get Started: go build -o mamoru ./cmd/server
  • Contribute: Implement new rules in internal/rules/. The interface is literally two methods. I dare you to make an excuse.
  • Deploy: 15MB Docker image. Free tier friendly.

Protect your stuff. It's not complicated. Mamoru-kun is watching.

back to blog