Edge Security Layer

Your origin has no
security headers.

Most websites ship without HSTS, CSP, or any security headers at all. SerpWise adds seven layers of edge security — from browser headers to bot intelligence to origin protection — without touching your code.

Zero origin changes
Works on any stack
Sub-millisecond overhead
14-day free trial

The difference is in the headers

Most origins respond without a single security header. SerpWise adds them in transit — before the response reaches the browser.

Before SerpWiseExposed
Strict-Transport-Security:(missing)
Content-Security-Policy:(missing)
X-Frame-Options:(missing)
X-Content-Type-Options:(missing)
Referrer-Policy:(missing)
After SerpWiseProtected
Strict-Transport-Security:max-age=63072000; includeSubDomains; preload
Content-Security-Policy:default-src 'self'; script-src 'self' https://...
X-Frame-Options:DENY
X-Content-Type-Options:nosniff
Referrer-Policy:strict-origin-when-cross-origin
Browser Protection

Control what browsers can load

Prevent XSS, clickjacking, and data injection by telling browsers exactly which resources and behaviors are allowed on your pages.

Content Security Policy

Build and enforce CSP with a visual directive builder. Test in report-only mode before blocking. Auto-detect every external script, font, and iframe your pages load.

  • Structured directive builder with presets
  • Report-only mode with violation logging
  • Auto-detect sources from proxied HTML
  • Per-domain policy compilation

Security Headers

Inject HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, and CORP on every response. One-click Standard and Strict presets.

  • 8 standard security headers
  • Standard and Strict presets
  • Overrides origin headers
  • Per-rule header control
CSP Builder

Deploy CSP without breaking your site

The biggest reason sites skip CSP is fear of breaking third-party scripts. Our four-step workflow eliminates that risk entirely.

01

Auto-Detect

Enable source detection. The gateway scans every proxied page and catalogs every external script, stylesheet, font, and iframe.

02

Report-Only

Switch to report-only mode. Browsers log violations without blocking anything. Review the CSP Reports tab to see what would break.

03

Refine

Add missing sources to your policy. Use presets as a starting point. Iterate until violation reports are clean.

04

Enforce

Flip to enforce mode. The gateway blocks unauthorized resources. Your site is protected against XSS, data injection, and clickjacking.

Origin Protection

Shield your server from hostile traffic

Block exploit probes, rate-limit abusive IPs, and auto-recover when your origin has issues. All at the proxy layer, before traffic reaches your server.

Exploit Shield

Blocks known attack paths (.env, wp-config.php, xmlrpc.php) and auto-bans repeat offenders. Your origin never sees the probing traffic.

  • 14 exploit path signatures
  • Automatic IP banning (24h)
  • Zero-config protection
  • Real-time threat blocking

Rate Limiting

Per-IP, per-domain sliding window rate limiting with configurable thresholds. Blocks brute-force attacks and abusive scrapers.

  • Configurable requests per window
  • 64-shard concurrent architecture
  • Standard rate limit headers (429)
  • Automatic cleanup of expired entries

Circuit Breaker

Automatically enters safe passthrough mode when your origin starts failing. Prevents cascading failures and gives your server time to recover.

  • Trips after 5 errors in 60 seconds
  • 5-minute cooldown with auto-recovery
  • Lock-free fast path (zero overhead when healthy)
  • Per-domain isolation

38+ bot signatures.
Full crawler intelligence.

Know exactly who is crawling your site — search engines, social crawlers, AI models, and monitoring tools. Write rules that target specific bots. Serve optimized content to GPTBot, block scrapers, customize the Googlebot experience.

Explore Bot Intelligence
Search EnginesGooglebot, Bingbot, YandexBot, Baiduspider
AI CrawlersGPTBot, ClaudeBot, PerplexityBot, CCBot
SocialFacebookbot, Twitterbot, LinkedInBot, Slackbot
MonitoringUptimeRobot, Pingdom, DatadogSynthetics
Data Protection

Encrypt credentials. Prevent data leaks.

Ad platform tokens encrypted at rest. Origin URLs rewritten to prevent CORS errors and cookie domain leaks. Zero-config data protection.

Credential Encryption

All ad platform credentials (Meta, TikTok, Google Ads, Snapchat) are encrypted at rest with AES-256-GCM. Tokens never touch disk in plaintext.

  • AES-256-GCM with random IV per credential
  • Hex-encoded 32-byte key management
  • Encrypted at rest in PostgreSQL
  • Automatic decryption on use only

Origin URL Rewriting

Automatically rewrites origin URLs in response bodies, Location headers, and Set-Cookie domains. Prevents CORS errors and cookie domain leaks.

  • Body URL rewriting (https, wss, protocol-relative)
  • Location header redirect rewriting
  • Set-Cookie domain rewriting
  • Shopify and multi-origin support
Tracking Security

Recover 15-30% of lost analytics data

Ad blockers strip your tracking. Safari caps cookies at 7 days. SerpWise makes your analytics infrastructure invisible to blockers and immune to browser restrictions.

First-Party Script Proxy

GTM, GA4, and measurement scripts are proxied through your own domain. Ad blockers can't distinguish them from your first-party code. No DNS changes — the gateway rewrites script URLs in your HTML automatically.

  • GTM (gtm.js) and GA4 (gtag/js) proxied as first-party
  • Measurement Protocol (g/collect) proxied transparently
  • 1-hour cache for scripts, no-store for collect
  • Configurable path prefix per domain

Server-Set Cookies

Safari ITP caps client-side cookies at 7 days. SerpWise sets tracking cookies server-side with 400-day expiry — bypassing ITP entirely. Your conversion attribution windows stay intact.

  • HttpOnly, Secure, SameSite=Lax by default
  • 400-day max-age bypasses Safari ITP
  • Meta (_fbp, _fbc), TikTok (_ttp), Snapchat (_scid)
  • Google Ads (_gcl_aw) and GA4 support
Meta / FacebookTikTokGoogle AdsGoogle AnalyticsSnapchatCustom Webhooks

Your CMS doesn't support security headers.
That's exactly why we built this.

WordPress, Shopify, Wix, Squarespace, and most legacy platforms give you zero control over HTTP security headers. SerpWise sits between your CDN and origin, injecting headers that your CMS can't. No plugins, no server config, no waiting on your hosting provider.

WordPressShopifyWixSquarespaceWebflowNext.jsLaravelCustom Stack

Decision support

Security — Questions & Answers

Will adding security headers break my site?

Most security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) are safe to enable immediately. CSP is the exception — an incorrect policy can block legitimate scripts. That's why we built the CSP Builder with report-only mode: test your policy with real traffic before enforcing it.

Does SerpWise add latency to my requests?

Security header injection is a sub-millisecond operation — it adds zero measurable latency. The gateway injects headers after your origin response is received, in the same pass as other modifications. There's no additional network hop.

Can I set different security policies for different pages?

Yes. Security Headers and CSP apply globally to your domain, but you can use the Rules Engine to override or add headers on specific URL patterns. For example, set a stricter CSP on /checkout/* pages or relax frame-ancestors for an embedded widget page.

My CMS doesn't support security headers. Will SerpWise work?

That's exactly the use case SerpWise was built for. WordPress, Shopify, Wix, Squarespace, and most legacy CMS platforms don't give you control over HTTP security headers. SerpWise injects them at the proxy layer — your CMS doesn't need to support them.

How does the circuit breaker protect my origin?

If your origin returns 5 errors within 60 seconds, SerpWise automatically enters passthrough mode — serving cached content or passing requests through without modification. After a 5-minute cooldown, it probes your origin with a single request. If that succeeds, normal operation resumes automatically. No manual intervention needed.

How does the script proxy recover lost analytics data?

Ad blockers block requests to known tracking domains (google-analytics.com, googletagmanager.com). SerpWise proxies these scripts through your own domain, so they look like first-party resources and bypass blockers. Server-set cookies also bypass Safari's 7-day ITP limit with a 400-day expiry.

How does SerpWise detect and classify bots?

The gateway checks every request's User-Agent against 38+ known bot signatures — search engines (Google, Bing, Yandex), social crawlers (Facebook, Twitter, LinkedIn), AI crawlers (GPTBot, ClaudeBot, PerplexityBot), and monitoring tools. You can write rules that target specific bot types, serve different content to AI crawlers, or block unwanted bots entirely.

What happens if I misconfigure my CSP?

If you're in report-only mode, nothing breaks — browsers log violations but still load all resources. If you're in enforce mode and realize a mistake, switch back to report-only or disabled instantly from the dashboard. Changes take effect on the next request.

Ready to dominate the Agentic Web?

Join the forward-thinking teams using Serpwise to optimize, track, and secure their presence across AI agents and traditional search. Start your free trial today.

Start Free TrialBook a Demo