Skip to main content

Feed web app IoCs back to OneFirewall

Many internet-facing web applications aren’t protected by a Web Application Firewall (WAF) or an advanced IDS that inspects web payloads. As a result, a large number of web attacks can go unnoticed. This page explains how to configure your web application to automatically feed Indicators of Compromise (IoCs) to OneFirewall whenever malicious activity is detected — without installing or maintaining separate security appliances.

Why this helps

  • Detect more attacks — capture suspicious requests your perimeter tools miss.
  • Centralised telemetry — OneFirewall aggregates IoCs from all your apps for faster investigation.
  • Low operational overhead — no extra WAF/IDS product to deploy or manage.
  • Faster response — automated feeds speed up blocking and threat hunting.

How it works (high level)

  1. Your web app (or its runtime/logging layer) detects suspicious activity or extracts IoCs from logs.
  2. The app sends those IoCs (IP addresses, URLs, user-agents, file hashes, etc.) to OneFirewall via a secure API.
  3. OneFirewall ingests the IoCs, enriches and correlates them, and applies blocking or alerting rules across your environment.

Step 1 — Create an Account

  1. Go to https://app.onefirewall.com and create an account.
  2. Generate an API Token and store it securely (e.g., in a password manager or secrets vault).
💡 If you don’t have an active account, please contact [email protected].

Step 2 - Set the Env Variables

Create / update your .env file (or environment variables for your app)
Speak with OneFirewall team to define the tag for you report-XXXXXXXX
These settings control how your application submits unauthorized access attempts and anomalies to OneFirewall.

Step 3 — Create Middleware

In your web application, implement middleware that intercepts all incoming requests and records any response that does not return a 200 OK status. Examples of status codes to capture:
  • 401 Unauthorized
  • 403 Forbidden
  • 404 Not Found
  • Other unexpected error codes
This ensures anomalous or suspicious activity is consistently detected and logged.

Step 4 — Submit Feeds to OneFirewall

  • Each time an anomaly is detected, add the event to your local feed queue.
  • Once the number of queued events reaches the value defined in ONEFIREWALL_BULK, send the batch to OneFirewall using the API.
This batching approach improves efficiency, reduces API overhead, and ensures timely reporting of Indicators of Compromise (IoCs).

Example of Code Snippets

NodeJS with Express module

GoLang with Fiber module

Python3 with FastAPI