Cratopus icon
Launch Console

Security Concepts

Stop bots from scraping your content or DDoSing your API without affecting real users. Crate provides specialized security layers that run before your backend is even touched, saving your server resources.

AI Shield

AI Shield is a specialized layer of our rate limiter designed to detect and manage non-human traffic.

How it Works

AI Shield inspects the User-Agent and traffic patterns to identify known crawler bots (e.g., GPTBot, ClaudeBot, Bytespider). You can configure the response strategy:

  • Block Mode: Instantly rejects known bots with a 403 Forbidden error. Perfect for exclusive content.
  • Strict Mode: Allows limited access (e.g., 5 requests/minute). Useful if you want to allow indexing but prevent aggressive scraping.

IP Allowlisting

You can restrict access to specific domains or routes by defining an allowlist of IP addresses or CIDR blocks. This is ideal for internal APIs, partner integrations, or securing administrative interfaces.

  • Global Allowlist: Applies to an entire domain.
  • Route-specific Allowlist: Overrides domain-level settings for specific paths.

Admin Subdomain Isloading

Crate allows you to isolate administrative routes on a dedicated subdomain (e.g., admin.example.com). This provides an additional layer of security by separating sensitive management paths from your public API surface.

Private Network Protection (SSRF)

Crate includes built-in protections against Server-Side Request Forgery (SSRF) to prevent your gateways from being used to access internal infrastructure.

Managed SaaS Restriction

For organizations using our Shared Managed or Private Managed gateways, Crate enforces strict validation on all routing destinations.

  • Blocked: localhost, 127.0.0.1, and all private IPv4/IPv6 ranges (RFC 1918, etc.) are prohibited.
  • Allowed: Only publicly routable IP addresses and qualified domain names are permitted.

BYOC & Community Edition

If you are running your own gateway via Bring Your Own Cloud (BYOC) or the Community Edition (CE), these restrictions are automatically relaxed:

  • Local Routing: You can route traffic to localhost or internal services on your private network (e.g., 10.0.0.5).
  • Discovery: Crate’s control plane automatically authorizes private routing for organizations that are 100% BYOC-powered.

[!IMPORTANT] To maintain this security posture, an organization cannot mix Managed and BYOC gateways. If you need both, we recommend using separate organizations to isolate your public and private routing configurations.