Data Hop Firewall: Zero Trust & DLP in Rust for Envoy Proxy
By Shay Mordechai | March 8, 2026
This project (wasm-dlp-firewall) was born out of a practical need for a SaaS product I developed. When I spun up the EC2 infrastructure on AWS, I quickly noticed bots from all over the world starting to scan the servers for vulnerabilities. This led me to completely redesign the infrastructure's security posture and implement a strict Zero Trust model.
1. Infrastructure Hardening
The first step was preventing direct access to the server. I completely blocked all inbound ports to the EC2 instance. In their place, I set up a Cloudflare Tunnel — routing all ingress traffic exclusively through a secure medium. I secured my personal admin access using a business Proton Mail account backed by a hardware USB Security Key. At runtime, application services were isolated inside containers running together in a Podman Pod.
2. Application Layer Defense (Layer 7 DLP)
After researching modern attack vectors like React2Shell, and given my previous deep-dives into V8 and the Log4j vulnerability (from 2022), I realized network hardening wasn't enough. The primary threat in a Microservices architecture is API Over-fetching (CWE-201/CWE-209) — a scenario where the Backend returns full objects from the database, trusting the Frontend (like React) to filter out sensitive data. This can lead to the leakage of PII, internal tokens, or Stack Traces.
I decided to shift the responsibility of data sanitization (Redaction) from the application layer directly to the infrastructure layer.
3. The Architecture of Wasm DLP Firewall
I built a smart Filter component for the Envoy Proxy. I chose to write it in Rust and compile it to WebAssembly (wasm32-wasi). The choice of Rust guaranteed Memory Safety and high performance (Zero-cost abstractions), while Wasm provided an isolated Sandbox inside the Proxy that allowed me to perform Hot-reloading without router downtime.
Key Capabilities:
- Recursive JSON Redaction: Deep scanning of the Response content, masking sensitive keys (like Passwords or Secrets) based on logical rulesets.
- Logical Data TTL: Support for custom headers (e.g.,
X-Data-TTL) to trigger sanitization. - Fail-Closed Security: If the payload cannot be decrypted or safely inspected, the request is simply dropped.
4. Field Case Study: Error Shielding and Information Disclosure
To test the system, I modeled a real-world attack scenario from financial environments (CWE-209). In this scenario, a session left open for over 60 minutes combined with aggressive refreshing (Ctrl+F5) caused the ASP.NET Backend to crash. Instead of a generic error, the server returned a 500 Internal Server Error that included HTML pages exposing:
- Physical server directory paths.
- Exact versions of IIS and .NET.
- Direct configuration suggestions for
web.config.
The Data Hop Firewall automatically detects 5xx errors before they leave the internal network, locates system strings (like "Stack Trace" or "System.Web"), and replaces the sensitive payload with a clean, standardized JSON response:
{
"status": "error",
"message": "Internal Security Proxy Intervention",
"code": 500
}
This ensures that even if a developer forgets to set customErrors="On" in the application, the Zero-Trust mechanism guarantees that server configuration data will never leak to the internet.