Command Menu

Search pages, blogs, projects, and more...

Essay

Back to blog
february 25, 20264 min read

Guarding Your Code: The Rise of Mamoru-WAF

Discover how Mamoru-kun, a lightweight Go-based guardian, brings enterprise-grade security and a stunning TUI to your hobby projects.

software-engineeringgolangsecuritycybersecurityopen-source

Nobody Will Hack My Side Project... Right?

Narrator: The bots were already scanning it.

Hot take: the same sqlmap script hammering Fortune 500 APIs is also currently probing your portfolio project with 50 daily active users. The bots do not care that you're "just a hobby project." They are not reading your README.

The WAF market's solution for this is extremely helpful: $200/month for Cloudflare WAF, or AWS WAF where you pay per rule, per request, and probably per time you think about security. ModSecurity is technically free if you enjoy reading 300 pages of Apache documentation at midnight.

Nobody built a WAF for the person who just wants their side project to stop getting SQL-injected.

So I did.

Introducing Mamoru-WAF

Single Go binary. Zero external dependencies. No Redis cluster. No Postgres spanning three Availability Zones just to store block logs. Just:

bash 
go build -o mamoru ./cmd/server
./mamoru --tui
go build -o mamoru ./cmd/server
./mamoru --tui

You're protected. That's the whole pitch.

The Part Where It Does Real Security

Mamoru covers the OWASP Top 10 staples that are most likely to ruin your week:

Regex pattern matching catches SQLi (union, select, drop, sleep), XSS (<script>, onerror=), and path traversal (../) before the request reaches your backend. Your backend doesn't even know it happened.

Token-bucket rate limiting runs per-IP, per-path, configurable. That /api/login endpoint you never hardened? It now has a bouncer.

Request body inspection means your contact form also can't be an attack vector anymore. Yes, POST bodies are checked too.

The rule engine uses a dead-simple Go interface: Name() and Evaluate(). Two methods. You can write a custom rule in 5 lines of Go. Try doing that in AWS WAF without a certification.

Hot Reload: Because Downtime Is For Enterprises

The AtomicEngine handles live rule reloading. Edit rules.yaml, save it, and the new rules are live in 2 seconds — no restarts, no dropped connections, no maintenance windows.

You can toggle between BLOCK mode (hard blocks) and DETECT mode (logs only, nothing blocked) with a keypress. Useful for when you want to watch what's happening before you commit to blocking it.

The TUI Nobody Asked For

I built a Catppuccin sage-green terminal dashboard because WAF logs are otherwise a wall of unreadable JSON and I couldn't live with that.

text 
🛡 MAMORU-WAF                     Mode: BLOCK  │  Backend: ● UP
 Total: 1250    Blocked: 23    Rate: 2    Detected: 0
─────────────────────────────────────────────────────────────────
 Live Events
  12:30:01 [OK]    192.168.1.5  GET    /
  12:30:03 [BLOCK] 10.0.0.50    POST   /login  pattern_filter:pattern_match
  12:30:05 [RATE]  10.0.0.50    GET    /api    rate_limiter:rate_limit
─────────────────────────────────────────────────────────────────
 q quit  │  r reload  │  m mode  │  c clear  │  h help
🛡 MAMORU-WAF                     Mode: BLOCK  │  Backend: ● UP
 Total: 1250    Blocked: 23    Rate: 2    Detected: 0
─────────────────────────────────────────────────────────────────
 Live Events
  12:30:01 [OK]    192.168.1.5  GET    /
  12:30:03 [BLOCK] 10.0.0.50    POST   /login  pattern_filter:pattern_match
  12:30:05 [RATE]  10.0.0.50    GET    /api    rate_limiter:rate_limit
─────────────────────────────────────────────────────────────────
 q quit  │  r reload  │  m mode  │  c clear  │  h help

Built with Bubble Tea. Real-time event log. Backend health panel. Interactive hotkeys. r reloads rules live. d toggles detect mode. q when you've seen enough and need to go to bed.

Nobody asked for a WAF with a terminal dashboard this nice. I built it anyway. It slaps.

The Honest Assessment

Your side project is getting bot-scanned. "I don't have anything worth stealing" is not a threat model. Neither is "I'll add security later."

Mamoru is a 15MB Docker image, a YAML file you can read while half-asleep, and a Go binary that takes 60 seconds to get running.

bash 
go build -o mamoru ./cmd/server
go build -o mamoru ./cmd/server

That's it. Mamoru-kun is now watching your traffic so you don't have to.

GitHub — the CONTRIBUTING.md has a guide. The rule interface is two methods. There is no valid excuse.

← PreviousFrom Screenshot to Solution: Stop Forwarding Me Vague Ticketsfebruary 26, 2026Next →Pulse Loop: I Built a Whole App to Loop the Same 8 Bars for 3 Hours Straightfebruary 23, 2026