Skip to main content
Unkey Deploy is currently in private beta. To get access, reach out on Discord or email support@unkey.com.
The Firewall policy rejects requests before they reach your application. It is the Sentinel’s surface for blocking unwanted traffic at the deployment layer.

Actions

Every firewall rule denies the request when its match conditions hit. Sentinel responds with HTTP 403 Forbidden and skips all downstream policies — your upstream service is never invoked. Rules are evaluated top-to-bottom. The first matching rule blocks the request.

Match conditions

Firewall rules reuse Sentinel’s shared match conditions: path, method, request header (including User-Agent), and query parameter. A rule can combine multiple conditions — all of them must match for the rule to apply.

Observability

Denied requests are not currently written to the request log. Per-request visibility for firewall matches will land in a later release.

Not a DDoS mitigation

The Sentinel firewall runs after traffic has entered the platform. It’s the right place to protect your application from unwanted traffic and avoid invoking your instances for denied requests, but it is not an infrastructure-level DDoS shield. Platform-level abuse protection lives at the edge and is handled separately.
Last modified on April 15, 2026