Unprotected web applications are easy targets for reverse engineering. All application code, API endpoints, and API payloads are easily discoverable in the browser. This makes manipulation - and possible exploitation - of the application flow straight forward.
Codesealer is a reverse proxy that seamlessly ensures the application's integrity from backend to frontend.
Codesealer replaces all application code in the browser with a uniquely generated Bootloader that provides a robust, tamper proof, and secure runtime for your code.
All application code is transferred to the browser using a authenticated encryption and executed inside the Bootloader, protecting your application from inspection and tampering.
All API endpoints are concealed behind an opaque /x endpoint and all API requests are automatically encrypted beyond TLS, preventing request forgery and manipulation.
Our integrated WAF inspects requests sent through legitimate interactions with the application, blocking malicious payloads.
/api/login/api/transfer/api/delete
Backend
/x
WAF
Network
Browser
Application Code
Bootloader
Seamless integration with no code changes in application and no agents in the browser
See it in action
Codesealer's design allows it to greatly increase the security level of any web application in minutes - without any code changes.
The video below shows the result of deploying Codesealer in front of a vulnerable web application: OWASP's Juice Shop application.
This site is also protected by Codesealer - just right click and select "Inspect" to see what that looks like in your browser's Dev Tools.
The Bootloader conducts thorough tamper checks and performs an X25519 key exchange to establish a secure channel with the proxy.
The original application code is secured with the authenticated encryption scheme Aegis-128 and safely transferred to the Bootloader.
The code is then executed in the Bootloader's tamper-resistant environment, making it extremely difficult to reverse engineer the application.
The exact cryptographic details change with every Bootloader, increasing the required time and effort to perform an attack.
Insecure
Code delivery without Codesealer
GET /vulnerable.dependency.js HTTP/1.1 HOST: backend.com ----------------------------------------- HTTP/1.1 200 OK !function() { "use strict"; var e, t, r, n, o, u, i, c, f, a = {}, l = {}; function d(e) { ...
GET /~bl/b/EZXPt5rW9reObblyI0RJUeTp HOST: backend.com ----------------------------------------- HTTP/1.1 200 OK fTEyTVNIImAkP2YqeCwiOzRUPjpR...
3. API Protection and Concealment
At runtime, all fetch and XHR requests are routed through Codesealer's secure channel.
Codesealer hides all API details by encrypting the payloads and always using the same opaque /x endpoint.
The proxy can completely block off requests that aren't made through a Codesealer session, essentially stopping automated attack tools.
Insecure
API calls without Codesealer
POST /api/login HTTP/1.1 HOST: backend.com {"user": "alice", "password": "pass123"} ----------------------------------------- HTTP/1.1 200 OK {"accessToken": "QyUhjMk0WdbMvZPr3vH0Fw=="}
POST /~bl/x HTTP/1.1 HOST: backend.com X-CS-SessionID: 63bd3719-c528-467d-b175-7bd7927c4ea1 PHF9bydrfThVWG8qLzVccjsubw... ----------------------------------------- HTTP/1.1 200 OK L1srKXtTZ1h5KVtgVWlJdkpUOH1Wcg...
4. Defence in Depth
Codesealer is designed around defence in depth - that is also why our proxy has an integrated Web Application Firewall (WAF).
The WAF offers an additional layer of protection right before sending decrypted requests to the backend
Any ligitimate interactions with the secured application that manage to send malicious payloads can be stopped by the WAF layer.
Flexible deployment options that fit into any existing application architecture
SaaS
Instantly protect your applications
Infrastructure managed by Codesealer
Configurable through our management portal
Simply change your DNS to point at our server
Self-Hosted
Deploy our proxy and management portal into your existing infrastructure
Pick the deployment model that suites you: Bare metal, Docker, Kubernetes, etc.
Fully horizontally scalable with minimal dependency on our backend
Enterprise
Get the same experience as Codesealer Self-Hosted but with all components fully in your control
Dedicated support from the Codesealer team
Our multi-layered approach to security provides defence in depth for your application
No single defence is enough
While most applications utilize some basic levels of security - like TLS - any great security solution consists of many defensive layers.
Codesealer easily enhances your web application with many additional defences such as tamper checks, honey pots, obfuscation, authenticated encryption, and WAF rules.
TLS
Common Protection
Basic level of security, commonly available to all users
Bootloader
Obfuscation and Tamper Checks
Application code is heavily obfuscated and tamper-checked using a unique, dynamically generated, cryptographic protocol
Secure Code Delivery
Encryption and Execution Environment
Code is delivered encrypted and executed in a secure environment
API Encryption
Application-Level Encryption and Session Control
All API requests are encrypted at the application level and only allowed within a securely established session
WAF
Web Application Firewall
Any requests are filtered through the WAF before making it to the backend
Code + API
An easy to use security solution ensuring end-to-end integrity of any web application
Secure Code Delivery: All application is delivered to the browser via authenticated encryption and executed inside our highly fortified Bootloader, making reverse engineering substantially harder.
Proactive API Protection: In contrast to reactive API security tools that build on API discovery and alerting, Codesealer simply removes the API attack surface by hiding API endpoints and encrypting payloads.
Dynamic Protection: Codesealer defends an application running in a hostile environment by making it a moving target. The exact implementation of our protection measures changes each time the application is loaded.
Seamless Integration: Our solution requires no changes to the existing application code and has no impact on the end user's experience. Just deploy our proxy in front of your backend to protect your application.
Flexible Deployment: We offer a wide range of deployment options including SaaS and on-prem solutions. Consume Codesealer as a managed service, raw binary, Docker image, Helm Charts, and more.
Horizontally Scalable: Our proxy component is fully horizontally scalable, supporting even the most demanding applications. It can even automatically scale with the application, for example by deploying as a Kubernetes sidecar.
High Performance: As a security product on the critical path Codesealer is designed from the start with extremely high performance in mind, ensuring as low an overhead as possible.
Mobile Protection: Codesealer's protection also extends to mobile applications. Our easily integrated SDK allows any mobile application to make secured API requests through our reverse proxy.
Ready to seal your APIs?
Reach out to our team today to learn more about Codesealer's API protection features and discover how we can fortify your web applications against evolving cyber threats. Schedule a consultation or request a demo to witness the transformative impact of Codesealer firsthand.