Corpilus Shield

Real-time tracking of 28 signals: keystroke dynamics, mouse trajectories (R²), scroll patterns, touch events, form fill timing, page dwell.

Protects against: form-fill bots, headless automation, scripted submission.

Canvas, WebGL, audio, fonts, navigator → SHA-256 device hash. Detects headless browsers and anti-detect tools.

Protects against: Puppeteer, Playwright, Selenium, PhantomJS, Camoufox, curl-cffi.

Hidden form fields invisible to humans. Proof-of-Work SHA-256 challenges on suspicious scores. Progressive login delay (1s → 8s).

Protects against: spam bots, naive scrapers, brute-force login burst.

Widget prevents form submission at score > 85. Red overlay: "Blocked by Corpilus Shield". Server-signed HMAC-SHA256 tokens auto-attached to fetch() via interceptor.

Protects against: high-confidence bot submissions reaching the backend.

70+ compiled patterns scanned on every event payload, automatically.

Protects against: SQL injection, XSS, path traversal, command injection, SSRF, SSTI.

40+ patterns scanning input + output + tool calls before/after the model runs.

Protects against: prompt injection, DAN-style jailbreaks, memory poisoning, tool abuse, data exfiltration.

GPT-4o-mini analyzes events every 15 min. RAG context from Shield KB (8 security docs). Auto-creates threats + rules.

Protects against: novel/unseen attack patterns missed by static rules.

Multi-dimensional: per-IP, per-device, per-endpoint. Progressive: monitor → throttle → challenge → block.

Protects against: brute force, credential stuffing, scraping, API enumeration.

IP geolocation via ip-api.com (24h cache). Country block/allow lists. Datacenter +10, proxy/Tor +15 score.

Protects against: traffic from disallowed regions, anonymising infrastructure.

Python (FastAPI/Django/Flask), Node.js (Express/Next.js), PHP (WordPress/Laravel). Validates X-Shield-Token on every request. No token → 403.

Protects against: requests bypassing the JS widget (curl, Postman, raw HTTP).

Email (HTML), Slack, Discord, generic JSON webhooks. Weekly security report with stats, top threats, block rate.

Protects against: late incident detection — admins notified within seconds.

5 tools exposed via MCP: shield_get_stats, get_threats, add_rule, get_events, verify_token.

Protects against: blind admin response — agents can investigate + act on incidents.

OpenAI / Anthropic compatible base_url. Scans prompt before forwarding, scans completion before returning. Blocks on policy hit.

Protects against: prompt injection, jailbreak, PII/secret exfil from LLM apps.

Tool-call interception for Claude / Cursor / IDE agents. Inspects every tool invocation against agent-protection rules before execution.

Protects against: malicious tool abuse, file/shell exfiltration, supply-chain agents.

Anonymized pattern sharing — IPs reduced to /24, PII stripped, maturity gating. One tenant's confirmed attacker becomes everyone's known threat.

Protects against: distributed campaigns hitting multiple Shield-protected sites.

Pre-built threat-intel context (mini-CAG). Bot signatures, attack patterns, OWASP samples baked in — Shield is not a tabula rasa on day 1.

Protects against: cold-start blindness — new sites are protected immediately.

Every rule change, site config edit, manual block, AI decision is recorded with actor, timestamp, before/after diff. Exportable for compliance.

Protects against: silent tampering — and gives ISO/SOC2 auditors a paper trail.

HMAC-SHA256 tokens are minted server-side from the per-site secret key and returned via /shield/events. Widget never holds the signing secret.

Protects against: token forgery from a stolen public site_key.

Drop-in PHP plugin: auto-injects the widget, ships middleware that validates Shield tokens on /wp-login.php and admin endpoints.

Protects against: WP brute force, xmlrpc abuse, admin enumeration on EU SMB sites.

PostgreSQL Row-Level Security forced on all shield_* tables. Each request runs under a tenant-scoped role — no application-layer bypass possible.

Protects against: cross-tenant data leaks, broken-access-control bugs in app code.

AST-parsed SQL validation. Blocks UNION, INTO OUTFILE, pg_sleep, information_schema. LIMIT capped at 1000. Sensitive columns (password, api_key, ssn) auto-redacted. Query fingerprinting + honeytoken trap tables.

Protects against: SQL data exfiltration, schema enumeration, pagination abuse, sensitive data leaks.

Bigram gibberish detection (EN/DE/CS/SK/ES), 100+ disposable email domains, spam patterns (repeated chars, ALL CAPS, URL flood), suspicious name detection. Additive scoring: gibberish +15, disposable email +25.

Protects against: form spam, fake registrations, gibberish submissions, throwaway accounts.

Wallet detection: BTC (P2PKH/Bech32), ETH, SOL, TRX, XRP, LTC, DOGE. BIP-39 seed phrase scanning (12/24 word). Signing prompts (EIP-712). 14 mining domains blocked. Payment redirect patterns.

Protects against: crypto wallet theft, seed phrase leakage, mining script injection, payment redirects.

Embedding-based prompt injection detection. 85 attack patterns in vector corpus — catches obfuscated variants that regex misses. "Disregard earlier directives" ≈ "Ignore previous instructions" (cosine similarity 0.70). Thresholds: ≥0.82 block, ≥0.68 challenge. Ollama-local embeddings, zero per-request API cost.

Protects against: paraphrased prompt injection, synonym-based jailbreaks, obfuscated attacks, cross-language attack variants.

Three-tier honeypot injection per form with PWM-aware scoring. Tier 1 (+80): random-named corpilus_shield_hp_XXX — no password manager touches it. Tier 2 (+40): realistic unused (website_backup), CSS-hidden. Tier 3 (+15, downgraded to +5 if 1Password / Bitwarden / LastPass / Dashlane detected) — eliminates PWM false positives on login forms. Trap URL endpoint /api/v1/shield/trap/{slug}: hidden anchor, any hit records bot + feeds cross-tenant aggregator, returns 410 Gone.

Protects against: bots that learned the single-honeypot convention, PWM false positives, crawler discovery of /admin / /wp-admin / /.env paths.

Redis snapshot (4 h TTL) of device_hash, webgl_renderer, user_agent, timezone, screen_resolution at session start. On sensitive events (login / form_submit / register / checkout), live fingerprint is compared. Additive drift penalties: device_hash +40, webgl +25, timezone +20, UA +15, resolution +10. Full drift (+110) blocks on its own; partial drift (UA + resolution) challenges. Fail-open on Redis outage.

Protects against: session hijacking, token replay, mid-session device swaps, stolen-cookie attacks.

Every 15 min a scheduler computes AI-rule creation velocity vs 7-day baseline. On a 3σ anomaly new rules auto-gate to rollout_state='canary' — they apply only to canary tenants for 24 h. Rules that survive ≥2 confirmations without FPs promote to 'confirmed'. Blocks adversarial traffic designed to make Shield create bad rules that would mass-block legit users or whitelist attackers.

Protects against: learning-layer poisoning, FP-DoS, self-whitelisting attacks, model corruption.

3-state breaker (closed / open / half_open) in all 3 backend SDKs (Python, Node, PHP). After 5 consecutive transport errors → OPEN for 30 s → 1 HALF_OPEN probe. 4xx is an input error, not transport failure, so it doesn't trip the breaker. PHP uses APCu for cross-FPM-worker state. No more 5 s timeouts on every request during a Shield-API outage.

Protects against: cascading timeouts, retry storms, request pile-up during upstream incidents.

Reason → (machine code, human hint) map in shield_remediation.py. /shield/verify and all 3 SDK 403 bodies now carry remediation + remediation_code fields. Legit users who get caught as false-positive see "Please reload the page" or "Your session expired" instead of a silent 403. Machine code is i18n-ready.

Protects against: bad UX on false-positive, support ticket load, silent-fail confusion.

Widget MutationObserver snapshots all <script> tags at boot and reports any subsequently injected script as script_integrity_violation telemetry (src, external/same_origin, content length, stable hash). Capped at 25 reports per page-load. Catches compromised-CDN, malicious extension, XSS overlay, or ad-fraud attacks that try to exfiltrate Shield tokens or form data.

Protects against: supply-chain attacks, malicious browser extensions, XSS token theft, ad-fraud overlays.

Widget flags concrete mismatches a real human never exhibits: UA claims Chrome but window.chrome missing, UA/platform mismatch (Windows UA on Linux), empty navigator.languages, outerWidth=0, headless default resolutions (800×600, 1024×768 desktop no-touch), desktop UA with zero plugins and zero mimetypes, navigator.webdriver=true. Each +12 score, capped +40 — one spurious heuristic can't block, a cluster of 3+ will.

Protects against: Puppeteer-stealth, Playwright, Selenium UA-spoof, curl-impersonate, Playwright-extra.

check_upload() now accepts form_fields. When a file upload is accompanied by form data (title, description, name, message), Content Quality Scoring runs on those fields too. A clean PDF with gibberish "test / asdf / qwerty" metadata still gets rejected (score ≥ 25). Closes the "fake registration with profile pic" path.

Protects against: fake account registration, low-quality form spam with attachments, bot-filled support tickets.

Five coordinated layers on top of rate limiting: per-account brute-force lockout (3 failed logins / 5 min, works across 1000 IPs), HIBP password breach check via k-anonymity proxy — plaintext never leaves browser, DNS MX / A record check on register (no-A +25, no-MX +15), typosquat email detection for 25+ brands (paypa1.com, faceb00k.com, google-login.tk…), password-change hardening (velocity caps + recent-login requirement + session-drift block). WebAuthn enforcement is out of scope — that's the auth provider's job.

Protects against: distributed credential-stuffing, residential-proxy brute force, leaked-password signup, brand-impersonation signups, account-takeover lockout chain, session-replay password reset.

9-language email + attachment scanner. Detects SK/CS/PL/DE/FR/ES/SR bodies stripped of diacritics (strongest real-world EU phishing signal), password-hint social engineering ("heslo je vase IČO" / "Passwort ist Ihre Steuernummer" / "haslo to Panstwa NIP" / "password is your tax number") across all 9 languages, mainframe-mimicry filenames (ALL_CAPS_with_PART_suffix.afp_*.pdf), and password-protected PDF / Office files via /Encrypt dictionary lookup. Brand-agnostic shape cluster — catches the same attack with any impersonated company name the attacker invents (Allianz, Sparkasse, PKO, or made-up "XYZ Banka").

Protects against: brand-impersonation phishing drops, credential harvesting, password-protected malware droppers, attachment-based social engineering.