TMW CDN / Proxy
Application-layer protection.
A self-developed reverse proxy with our own WAF engine, multiple protection modes, edge cache and on-the-fly image optimization. Built and operated end-to-end by TMW.
Inspection at every layer
Every request passes through our stack of appliances. Bots, abuse and attacks are dropped before they reach your origin.
Everything an L7 application needs - in one proxy.
Application-layer DDoS, WAF rules, cache, image optimization and routing logic - without stitching together five different vendors.
Custom-built WAF
Our own Web Application Firewall engine - written by us, tuned for our network. No third-party stack, no per-rule licensing.
Different Protection Modes
Switch between standard, strict and under-attack modes per host. Tighten or relax in seconds without reconfiguration.
WebSocket Support
Real-time apps work out of the box - chat, dashboards, multiplayer, trading frontends. Long-lived upgraded connections handled correctly.
WWW Redirect
Automatic apex ↔ www canonicalization with permanent redirects, so your SEO stays consistent.
Edge Cache
Smart HTTP cache at our edge with full control over TTLs, cache keys and purge by tag, URL or wildcard.
Image Optimization
On-the-fly resizing, format conversion (WebP/AVIF) and quality tuning. Faster pages, smaller bills.
Asset Caching
Static assets are cached and served from the edge in the data center closest to your visitor.
Anycasted Edge
Traffic is terminated at the closest PoP. Lower latency, fewer round trips, faster TLS handshakes.
Application-layer abuse, blocked at the edge.
L7 attacks look like real traffic until you look closer. TMW CDN / Proxy fingerprints the request, scores the client and decides before your origin ever sees a byte.
HTTP / HTTPS Floods
High-RPS GET and POST floods are absorbed and rate-limited per route, per token and per fingerprint - long before your application threads block.
Slowloris & Slow POST
Connections that drip headers or bodies for hours are detected and reaped at the edge. Your origin sockets stay free.
Credential Stuffing
Bots replaying breach lists against /login are scored by behavior, not just IP. Suspicious sessions get challenged or dropped.
Scraping & Hoarding
Automated scrapers building competitor catalogs are throttled by request shape, headless-browser tells and asset-fetch patterns.
OWASP Top 10
Built-in rules block SQL injection, XSS, RCE, path traversal, SSTI, deserialization and the rest of the usual suspects - tunable per host.
Bot Abuse
Sneakers, ticket scalpers, ad-fraud farms and inventory hoarders. Headless-browser detection plus behavioral scoring - not just user-agent strings.
API Abuse
Per-route quota, per-method limits and replay-attack detection on JSON / GraphQL / gRPC traffic. Idempotency-aware, not a blunt rate limiter.
Hotlinking & Bandwidth Theft
Referrer-based and signed-URL controls keep your images, video and downloads from being embedded on someone else's site.
How a request flows through TMW CDN / Proxy.
Five stages, deterministic, observable. You get a header on every response that tells you exactly where the decision was made.
Anycast termination at the closest PoP
Clients hit the nearest PoP automatically. Modern transports (HTTP/2, HTTP/3, IPv6) handled out of the box.
Managed TLS & SNI routing
Free, auto-renewed certificates or your own. Strong cipher policy, OCSP stapling and proper SNI multiplexing across thousands of hosts.
Inspection by our own WAF engine
Header, body, and parameter inspection. OWASP rules, custom rules and behavioral scoring - all in one pass, microseconds per request.
Edge cache & image optimization
Cacheable responses are served straight from the edge. Images are resized and re-encoded on the fly to WebP / AVIF.
Forward to origin or fail open / closed
Healthy origin? Forward. Origin down? Serve stale cache or a maintenance page - never a blank 502.
Three modes, switchable per host.
Different sites need different postures. Switch between modes per hostname in seconds, no DNS change, no certificate juggling.
Production default
Full WAF, edge cache and bot scoring with a low false-positive rate. Designed to leave real users untouched.
- OWASP rule set enabled
- Heuristic bot scoring
- Full cache & image optimization
- Realistic challenge thresholds
When the noise rises
Tighter heuristics, more aggressive challenge thresholds and additional signals factored in. For sensitive routes or under sustained probing.
- Aggressive bot scoring
- Adaptive for unknown clients
- Strict header validation
- Per-fingerprint rate limits
Active incident mode
Maximum filtering. Every new visitor passes a JavaScript and proof-of-work challenge before reaching your origin. Toggle on, toggle off.
- Mandatory JS challenge
- Proof-of-work for unknowns
- Geo and ASN gating ready to flip
- Static fallback page available
Made for the modern web.
From a one-pager landing page to a multi-region SaaS - the proxy adapts. Same engine, same dashboard, same pricing.
SaaS Dashboards
Authenticated, real-time, WebSocket-heavy. Sessions stay sticky, dashboards stay snappy, login pages stay un-stuffable.
E-commerce & Storefronts
Catalog and image-heavy sites get edge-served, cart and checkout get protected. Sale-day traffic doesn't melt your origin.
Content & Media
News, blogs, video portals. Smart cache rules, hotlinking control and image optimization - bandwidth bills drop without rework.
Public APIs
Per-route, per-key rate limits. Idempotency-aware. JSON, GraphQL and gRPC supported with per-method controls.
Login & Account Pages
Tightest mode, highest scrutiny. Bot scoring on every request, optional MFA-aware throttles, breach-list-aware blocking.
Multiplayer Frontends
WebSocket-native. Lobby, matchmaking and real-time chat stay open under load - long-lived connections handled correctly.
An honest reverse proxy.
Built in-house, priced flat, deployable today. No marketplace add-ons, no per-rule licensing, no contracts you'll regret.
Our Own WAF Engine
Written in-house, tuned for our network. We ship rule updates the same day a CVE drops - no vendor wait, no licensing tier required.
Flat, Predictable Pricing
No per-rule fees, no per-request meter. Bandwidth and requests are bundled into a flat fee that doesn't punish you for getting attacked.
Custom Rules - Not a Side Quest
Engineers write rules with you in real time. Geo gates, header asserts, regex bodies, signed cookies - whatever your shape needs.
Plays Well With Others
Stack TMW CDN / Proxy in front of, behind or beside another CDN. We don't insist on owning your DNS or your edge.
Same-Day Deployment
Point your DNS, pick a mode and you're live. No staging period, no minimum month, no on-prem appliance to rack.
Useful Observability
Per-route metrics, top blocked rules, top offenders and live tail. The same view our team uses - exposed in your portal.
Layered protection: TMW Shield + TMW CDN / Proxy
Run them side by side. TMW Shield absorbs volumetric and protocol attacks at L3 / L4. TMW CDN / Proxy handles HTTP-layer abuse, bots and application-layer logic at L7.
TMW Shield
Network-layer DDoS mitigation. BGP-routed, always-on, sub-second detection.
Explore TMW Shield →TMW CDN / Proxy
Reverse proxy with our own WAF engine, edge cache, image optimization and protection modes.
Try TMW CDN / Proxy free for 30 days
Point your DNS, pick a protection mode and you're protected. Full WAF, cache and image optimization included throughout the trial.
- No credit card required
- Full WAF engine access
- Dedicated onboarding engineer
- Cancel anytime
Application-layer protection, end to end.
Activate TMW CDN / Proxy in minutes. Combine it with TMW Shield for full L3 to L7 coverage.