Every application exposed to the internet faces two broad categories of threats.
The first category consists of malicious requests sent directly to your server: bots attempting credential stuffing, attackers probing for vulnerabilities, automated scanners searching for exposed endpoints, and users overwhelming your API with excessive traffic.
The second category consists of malicious content executing inside the browser: injected scripts, compromised third-party dependencies, clickjacking attempts, and unauthorized connections to external services.
Oolvay ships with protection for both.
| Layer | Protects against | Runs where |
|---|---|---|
| Threat Protection | Bots, abuse, scanners, attacks, and excessive traffic | Server |
| Content Security Policy | Malicious scripts, unauthorized resources, and browser-based attacks | Browser |
Both layers are enabled by default and require no setup to provide value.
A useful way to think about the difference:
Threat Protection evaluates requests before your route handler executes. Suspicious traffic can be rate-limited, blocked, or challenged before it reaches your application logic.
Content Security Policy applies after a page is delivered to the browser. It restricts which scripts, images, fonts, frames, and network connections the page is allowed to load, reducing the impact of cross-site scripting attacks and compromised third-party dependencies.
Neither layer replaces the other.
A bot attempting to brute-force sign-ins is a server-side problem. A malicious script injected into a page is a browser-side problem. Modern applications need defenses for both.
Security is most effective when it is layered.
A rate limit does not stop malicious scripts from executing in a browser. A Content Security Policy does not stop a bot from hammering your sign-in endpoint. Each layer solves a different class of problem.
For that reason, Oolvay enables both server-side and browser-side protections from day one.
Out of the box:
0 / 2,000 characters
By the end of this section, you will understand:
