Caddy does not offer full application protection besides HTTPS and basic stuff.

They're both reverse proxies built on nginx, but the whole point of BunkerWeb is that it's a WAF, which NPM is not, so that's a significant difference.

In short, NPM doesn't do any of the stuff listed under Security Features here: https://docs.bunkerweb.io/latest/#security-features

I mean ... You're not completely wrong, but you're not completely right either. For context: I've been working full-time in security for 15 years and on the fringes (reversing) for many more.

WAFs in and of themselves provide virtually zero security. They can block naive attacks -- catching the most obvious payloads -- and act as an early-warning signal that an attack may be underway (though the SNR on this is awful). But frankly, this is far less important in practice than the fact that it just makes things more difficult and annoying for attackers. Enough so that it can make a semi-attractive target into a no-go.

This is like defense-in-depth, but instead of layering protections in place so that the holes in the swiss cheese don't like up, you're making the cheese smell awful enough to ignore the juicy apple behind it.

If you're a valuable enough target, they're gonna go for the apple regardless of how bad the cheese is. ... And this analogy may have gotten away from me.

In addition to defense-in-depth—simply adding a bunch of imperfect layers and acknowledging that no individual layer like this is all that effective on its own—there’s a component of creating signal: it can be pretty trivial for a motivated attacker to bypass a WAF, however it may not be trivial to do so without creating a paper trail of event logs, which can be used to trigger automated blocks or escalate alarms for a human to intervene.

I'd generally confirm that suspicion: https://www.macchaffee.com/blog/2023/wafs/

WAFs have a few valid uses in my opinion: "virtual patching" and the ability to create custom rules such as blocking/challenging/rate limiting obviously bad traffic. But the giant rulesets are actively harmful IMO. "Defense in depth" is not a valid justification for doing something actively harmful to both your users and the time budget of your security team.

WAFs aren't bullshit but have limitations - they're effective against known attack patterns (SQLi, XSS) but can be bypassed with sophisticated techniques. They're best as one layer in a defense-in-depth strategy, not a complete security solution.

You are correct. Actual security needs to be inherently part of the application; you can't get it just by slapping something in front of it. And the way most WAFs work is basically just a fancier version of what https://thedailywtf.com/articles/Injection_Rejection does, which is horrifically bad on sites where people try to discuss HTML or SQL.

Custom nginx configs are supported (more info here : https://docs.bunkerweb.io/latest/advanced/#custom-configurat...) but BunkerWeb also includes its own list of settings.

Features with a crown icon are PRO, you will find full list of free and PRO features here : https://docs.bunkerweb.io/latest/features/

Thanks for the kind words!

Kubernetes integration is really awesome, you can use BunkerWeb ingress controller or mix it with an existing ingress controller.

ModSecurity doesn't offer antibot, bad behavior, certificate management, ... You can find the full list of features here : https://docs.bunkerweb.io/latest/features/