Skip to content

FAQ

Is VibeWarden only for "vibe-coded" apps?

No. VibeWarden is a production-grade security sidecar that works with any HTTP application — Spring Boot, Django, Rails, Express, FastAPI, Next.js, or anything else that listens on a port.

We say "vibe-coded" because that's where the pain is sharpest: developers shipping fast with AI tools often skip security entirely. But the features themselves — TLS termination, JWT validation, rate limiting, WAF, egress control, audit logging — are the same ones you'd want in front of any application.

If it's good enough for an app built in an afternoon with an AI assistant, it's more than good enough for your carefully architected production service.

Does it replace nginx / Traefik / Caddy?

VibeWarden embeds Caddy as its reverse proxy engine. It replaces the manual configuration of nginx or Traefik with a single vibewarden.yaml file that handles TLS, auth, rate limiting, WAF, and security headers together. You don't need to stitch together separate tools.

Does it work with my existing identity provider?

Yes. VibeWarden supports JWT/OIDC validation from any standard provider — Auth0, Keycloak, Firebase, Cognito, Okta, Supabase, or your own. It also supports Ory Kratos for self-hosted identity and simple API key auth for machine-to-machine communication. See the identity providers guide.

Do I need to change my application code?

Not for ingress (inbound traffic). VibeWarden sits in front of your app and handles security transparently. Your app receives clean, authenticated requests with user identity in headers like X-User-Id.

For egress (outbound traffic), your app points its HTTP calls at the egress proxy (localhost:8081) instead of directly at external APIs. This is the only code change, and it's optional.

Is it production-ready?

VibeWarden is pre-1.0. The core features (TLS, auth, rate limiting, security headers, WAF, egress proxy) are stable and tested, but the API may evolve. We recommend it for new projects and non-critical production workloads. Pin your version via .vibewarden-version to avoid surprises.

What's the performance overhead?

Under 3 microseconds per request with all middleware enabled (security headers + rate limiting + WAF). See the performance benchmarks.

Is it free?

The open-source core is Apache 2.0 — free forever. A Pro tier (fleet dashboard for managing multiple instances) is planned but not yet available.

Can I use it in Kubernetes?

Yes, as a sidecar container in the same pod as your application. A Helm chart is planned. For now, deploy the Docker image directly.

Can I use a different auth provider in dev vs prod?

Yes. This is the recommended pattern. Use auth.mode: kratos locally for a full self-contained auth loop (registration, login, password reset — no internet required), and auth.mode: jwt in production to validate tokens from your cloud IAM (Cognito, Auth0, Azure AD, etc.).

Your application code does not change between environments. VibeWarden injects X-User-Id, X-User-Email, and X-User-Verified headers in both modes. Kratos mode additionally sets X-User-Role from the identity traits. Only the VibeWarden config differs.

Switch between them with vibewarden start --config vibewarden.dev.yaml or via environment variable interpolation in a single shared config file.

See the Dev/Prod auth split section in the identity providers guide for full examples.

Where do I report security vulnerabilities?

See SECURITY.md. Use GitHub Security Advisories or email security@vibewarden.dev.