WebSocket Firewall

TsgcWebSocketFirewall — a comprehensive firewall component that protects your WebSocket and HTTP servers against fifteen distinct classes of attack, from IP blacklists to SQL injection and command injection.

Overview

Block, Throttle or Whitelist Connecting IPs

One component, fifteen protection modules, zero event wiring.

Fifteen Protections in One Component

TsgcWebSocketFirewall bundles IP blacklist/whitelist filtering, automatic brute-force banning, SQL injection and XSS pattern detection, connection rate limiting, message flood protection, GeoIP country filtering, dynamic threat scoring, path traversal and command injection detection, payload size limits, WebSocket-specific protections (origin validation, frame size limits, subprotocol filtering), progressive ban escalation, a custom-rules engine and real-time statistics.

Drop the component on your form, configure the modules you want, and assign it to the server's Firewall property — available on TsgcWebSocketServer, TsgcWebSocketHTTPServer and TsgcWebSocketServer_HTTPAPI. The firewall intercepts every connection and every message automatically and rejects offenders before your event handlers ever see them.

  • IP blacklist and whitelist with CIDR notation (e.g. 10.0.0.0/8)
  • Brute-force protection with automatic IP banning
  • SQL injection, XSS, path traversal and command injection detection
  • GeoIP country-based blocklist or allowlist
  • Dynamic threat scoring with auto-ban thresholds and decay
  • Progressive ban escalation for repeat offenders
  • WebSocket-specific origin / frame size / subprotocol checks
  • Persistent bans (SaveBansToFile / LoadBansFromFile)
FIREWALL
How it works

Two Inspection Stages, Fifteen Modules

Connections are checked at TCP-accept time; messages are inspected on every payload.

On New Connection

The firewall evaluates the blacklist, whitelist, active bans, per-IP rate limits, GeoIP country and any matching custom rules. A blocked connection is rejected before the OnTCPConnect event ever fires — nothing reaches your application code.

On Message Received

Every payload is scanned for SQL injection, XSS, path traversal and command-injection patterns; the size is checked against the payload limit; flood protection counts messages per second per IP; threat scores are updated and custom rules re-evaluated. A violation disconnects the offending client and (depending on configuration) escalates the ban duration the next time they reconnect.

Threat Score & Ban Escalation

Every detected violation increments a per-IP threat score that decays over time. When the score crosses ThreatScore.AutoBanThreshold the IP is banned automatically. Repeat offenders climb the BanEscalation.Levels ladder — for example 5 minutes, 30 minutes, 2 hours, 24 hours, then permanent.

Code

Delphi Example

Configure the firewall and assign it to a server.

// Drop a TsgcWebSocketFirewall on the form
sgcWebSocketFirewall1.Blacklist.Enabled := True;
sgcWebSocketFirewall1.Blacklist.IPs.Add('10.0.0.0/8');
sgcWebSocketFirewall1.Whitelist.Enabled := True;
sgcWebSocketFirewall1.Whitelist.IPs.Add('192.168.1.1');

// Brute-force: 3 failed logins -> 10 minute ban
sgcWebSocketFirewall1.BruteForce.Enabled := True;
sgcWebSocketFirewall1.BruteForce.MaxAttempts := 3;
sgcWebSocketFirewall1.BruteForce.BanDurationSec := 600;

// Content protection
sgcWebSocketFirewall1.SQLInjection.Enabled := True;
sgcWebSocketFirewall1.XSS.Enabled := True;
sgcWebSocketFirewall1.PathTraversal.Enabled := True;
sgcWebSocketFirewall1.CommandInjection.Enabled := True;
sgcWebSocketFirewall1.PayloadLimit.Enabled := True;
sgcWebSocketFirewall1.PayloadLimit.MaxSizeBytes := 65536;

// GeoIP: block specific countries
sgcWebSocketFirewall1.GeoIP.Enabled := True;
sgcWebSocketFirewall1.GeoIP.Mode := gmBlockList;
sgcWebSocketFirewall1.GeoIP.Countries.Add('CN');
sgcWebSocketFirewall1.GeoIP.Countries.Add('RU');
sgcWebSocketFirewall1.LoadGeoIPDatabase('geoip.csv');

// Dynamic threat score with auto-ban
sgcWebSocketFirewall1.ThreatScore.Enabled := True;
sgcWebSocketFirewall1.ThreatScore.AutoBanThreshold := 80;

// Assign to server
sgcWebSocketHTTPServer1.Firewall := sgcWebSocketFirewall1;
sgcWebSocketHTTPServer1.Active := True;
Use cases

When to Reach for the Firewall

Public WebSocket API

Block known-bad IP ranges, ban brute-force attackers, and stop crawlers that flood your server with messages. Ban escalation makes repeat attackers progressively more painful to come back.

Trading or Financial Server

Whitelist trusted partner IPs, restrict access to specific countries with GeoIP, and enforce strict frame-size limits to stop oversized payloads before they hit your matching engine.

Chat / Real-Time App

Detect XSS injection in user messages and reject the offending payload before it propagates. Combine with payload size limits to prevent huge upload abuse.

Internal API With External Clients

Use SQL injection and command injection detectors as a defense-in-depth net even when your backend already validates input. Audit OnViolation events into your SIEM.

Resources

Documentation & Demos

Deep-link to the component reference, grab the ready-to-run demo project, and download the trial.

Online Help — TsgcWebSocketFirewall Full property, method and event reference for this component. Demo Project — 01.WebSocket\07.Firewall Ready-to-run example project. Ships inside the sgcWebSockets package — download the trial below. User Manual (PDF) Comprehensive manual covering every component in the library.

Add Production-Grade Protection

Download the free trial and protect your sgcWebSockets servers in minutes.

Download Free Trial View Pricing