Configuring the Security Shield

Per-workspace and per-key modes, custom thresholds, IP rules, and SIEM webhooks.

Modes

Set the mode from Dashboard → Guardian → Security Shield → Configuration or via the API.

- off, shield completely disabled. No scanning, no events. Use for internal tooling where you control all inputs. - monitor (default), scan runs as a background task. Zero latency overhead. Threats are logged to security_events but never block requests. Ideal for a trial phase before enabling block mode. - block, scan is awaited before the upstream call. Requests whose threat score meets or exceeds the threshold return HTTP 400 threat_blocked immediately.

Threshold

The block threshold (0.0-1.0, default 0.85) determines the minimum threat_score required to block a request in block mode. Lower values catch more potential threats at the cost of more false positives. We recommend starting at 0.85 and lowering only if you observe missed threats in monitor mode logs.

Per-key override

Individual API keys can override the workspace mode. Set a key to block mode for untrusted integrations, while keeping your internal automation on monitor. Use Dashboard → Keys → ⋯ → Security mode.

IP allowlist / blocklist

Add CIDR rules under Dashboard → Guardian → Security Shield → IP Rules. Rules are evaluated in creation order. allow rules take priority over deny rules, if an IP matches both an allow and a deny CIDR, the request passes.

curl -X POST https://app.hiway2llm.com/api/v1/workspaces/WS_ID/security/ip-rules \
  -H "Authorization: Bearer hw_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"cidr": "203.0.113.0/24", "action": "deny", "comment": "Known attack subnet"}'

SIEM webhooks

Forward threat events to Splunk, Datadog, a custom SIEM, or any HTTP endpoint. Each webhook can be filtered to specific event types (blocked, logged). Payloads are signed with an HMAC-SHA256 signature in the X-HiWay-Signature header for verification.

curl -X POST https://app.hiway2llm.com/api/v1/workspaces/WS_ID/security/webhooks \
  -H "Authorization: Bearer hw_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Splunk SIEM",
    "url": "https://your-splunk.example.com/services/collector/event",
    "secret": "your-signing-secret",
    "events": ["blocked"]
  }'

Previous

Security Shield

Next

Threat reference