decorative image

End-to-End API Encryption forWeb and Mobile Applications

Codesealer provides strong application integrity, wrapping both source code and APIs in strong authenticated encryption.

Give any reverse engineers and hackers a run for their money with a completely novel approach to web application security.

Designed for seamless integration, with no app changes or user actions needed. Enhance your defences in the easiest way possible.

Codesealer application protection in a nutshell

Unprotected web applications are easy targets for reverse engineering. All application code, API endpoints, and API payloads are easily discoverable in the browser. This makes manipulation - and possible exploitation - of the application flow straight forward.
Codesealer is a reverse proxy that seamlessly ensures the application's integrity from backend to frontend.
Codesealer replaces all application code in the browser with a uniquely generated Bootloader that provides a robust, tamper proof, and secure runtime for your code.
All application code is transferred to the browser using a authenticated encryption and executed inside the Bootloader, protecting your application from inspection and tampering.
All API endpoints are concealed behind an opaque /x endpoint and all API requests are automatically encrypted beyond TLS, preventing request forgery and manipulation.
Our integrated WAF inspects requests sent through legitimate interactions with the application, blocking malicious payloads.
Application Code
Seamless integration with no code changes in application and no agents in the browser
Decorative image

See it in action

Codesealer's design allows it to greatly increase the security level of any web application in minutes - without any code changes.

The video below shows the result of deploying Codesealer in front of a vulnerable web application: OWASP's Juice Shop application.

This site is also protected by Codesealer - just right click and select "Inspect" to see what that looks like in your browser's Dev Tools.

How it works

1. Code Stripping and Bootloader Injection

When a browser requests an HTML document through the proxy, Codesealer intercepts and modifies the response.
All <script> tags are removed, preventing attackers from accessing the application's JavaScript source code.
Codesealer injects its secure 'Bootloader' into the page, establishing a highly fortified runtime environment for application execution.

HTML document without Codesealer

<html>   <script src="vulnerable.dependency.js"></script>   <script>       fetch('/api/login', {           method: 'POST',           body: '{"user": "alice", "password": "pass123"}'       });   </script> </html>
<html>     <script></script>     <script></script>     <script data-conf="yArcIqfK...meGLNw">,         var ħ = "kQq,'F[D1f?<v!7YiBtm =pWX>a;*3-5zT).c4R^";         function ǵ(ә, ħ) {             var ΐ = 0, ӻ = [1, 32, 1024], ņ = 0;             while (ۅ[ө(ә)] > 31) {                 ΐ += (ۅ[ө(ә++, -237)] & 31) * ӻ[ņ++]             }             ΐ += ۅ[ө(ә++, 566)] * ӻ[ņ++];                          ...     </script> </html>

2. Secure Code Delivery

The Bootloader conducts thorough tamper checks and performs an X25519 key exchange to establish a secure channel with the proxy.
The original application code is secured with the authenticated encryption scheme Aegis-128 and safely transferred to the Bootloader.
The code is then executed in the Bootloader's tamper-resistant environment, making it extremely difficult to reverse engineer the application.
The exact cryptographic details change with every Bootloader, increasing the required time and effort to perform an attack.

Code delivery without Codesealer

GET /vulnerable.dependency.js HTTP/1.1 HOST: ----------------------------------------- HTTP/1.1 200 OK !function() {   "use strict";   var e, t, r, n, o, u, i, c, f, a = {}, l = {};   function d(e) { ...
GET /~bl/b/EZXPt5rW9reObblyI0RJUeTp HOST: ----------------------------------------- HTTP/1.1 200 OK fTEyTVNIImAkP2YqeCwiOzRUPjpR...

3. API Protection and Concealment

At runtime, all fetch and XHR requests are routed through Codesealer's secure channel.
Codesealer hides all API details by encrypting the payloads and always using the same opaque /x endpoint.
The proxy can completely block off requests that aren't made through a Codesealer session, essentially stopping automated attack tools.

API calls without Codesealer

POST /api/login HTTP/1.1 HOST: {"user": "alice", "password": "pass123"} ----------------------------------------- HTTP/1.1 200 OK {"accessToken": "QyUhjMk0WdbMvZPr3vH0Fw=="}
POST /~bl/x HTTP/1.1 HOST: X-CS-SessionID: 63bd3719-c528-467d-b175-7bd7927c4ea1 PHF9bydrfThVWG8qLzVccjsubw... ----------------------------------------- HTTP/1.1 200 OK L1srKXtTZ1h5KVtgVWlJdkpUOH1Wcg...

4. Defence in Depth

Codesealer is designed around defence in depth - that is also why our proxy has an integrated Web Application Firewall (WAF).
The WAF offers an additional layer of protection right before sending decrypted requests to the backend
Any ligitimate interactions with the secured application that manage to send malicious payloads can be stopped by the WAF layer.
Flexible deployment options that fit into any existing application architecture
Image of a server


    Instantly protect your applications
    Infrastructure managed by Codesealer
    Configurable through our management portal
    Simply change your DNS to point at our server
Image of a server


    Deploy our proxy and management portal into your existing infrastructure
    Pick the deployment model that suites you: Bare metal, Docker, Kubernetes, etc.
    Fully horizontally scalable with minimal dependency on our backend
Image of a server


    Get the same experience as Codesealer Self-Hosted but with all components fully in your control
    Dedicated support from the Codesealer team
Our multi-layered approach to security provides defence in depth for your application
Decorative image

No single defence is enough

While most applications utilize some basic levels of security - like TLS - any great security solution consists of many defensive layers.

Codesealer easily enhances your web application with many additional defences such as tamper checks, honey pots, obfuscation, authenticated encryption, and WAF rules.


Common Protection

Basic level of security, commonly available to all users


Obfuscation and Tamper Checks

Application code is heavily obfuscated and tamper-checked using a unique, dynamically generated, cryptographic protocol

Secure Code Delivery

Encryption and Execution Environment

Code is delivered encrypted and executed in a secure environment

API Encryption

Application-Level Encryption and Session Control

All API requests are encrypted at the application level and only allowed within a securely established session


Web Application Firewall

Any requests are filtered through the WAF before making it to the backend
Code + API
An easy to use security solution ensuring end-to-end integrity of any web application

Secure Code Delivery: All application is delivered to the browser via authenticated encryption and executed inside our highly fortified Bootloader, making reverse engineering substantially harder.
Proactive API Protection: In contrast to reactive API security tools that build on API discovery and alerting, Codesealer simply removes the API attack surface by hiding API endpoints and encrypting payloads.
Dynamic Protection: Codesealer defends an application running in a hostile environment by making it a moving target. The exact implementation of our protection measures changes each time the application is loaded.
Seamless Integration: Our solution requires no changes to the existing application code and has no impact on the end user's experience. Just deploy our proxy in front of your backend to protect your application.
Flexible Deployment: We offer a wide range of deployment options including SaaS and on-prem solutions. Consume Codesealer as a managed service, raw binary, Docker image, Helm Charts, and more.
Horizontally Scalable: Our proxy component is fully horizontally scalable, supporting even the most demanding applications. It can even automatically scale with the application, for example by deploying as a Kubernetes sidecar.
High Performance: As a security product on the critical path Codesealer is designed from the start with extremely high performance in mind, ensuring as low an overhead as possible.
Mobile Protection: Codesealer's protection also extends to mobile applications. Our easily integrated SDK allows any mobile application to make secured API requests through our reverse proxy.

Ready to seal your APIs?

Reach out to our team today to learn more about Codesealer's API protection features and discover how we can fortify your web applications against evolving cyber threats. Schedule a consultation or request a demo to witness the transformative impact of Codesealer firsthand.

We use cookies to analyse our traffic.