Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.lintliot.com/llms.txt

Use this file to discover all available pages before exploring further.

When you run npx lintliot init, LintLiot inserts itself at the front of your request pipeline — before routing, before your middleware, before any of your code runs. This page explains what happens from that point on: the 7-day learning phase, the request lifecycle on every inbound call, what changes when enforcement activates, and how your Security Score is calculated.

The 7-day learning phase

After your first request arrives, LintLiot automatically enters a passive observation window. For 7 days it watches traffic without changing how your app behaves (beyond standard WAF rules). During this time it builds five behavioral baselines specific to your application:
BaselineWhat it measures
TrafficRequests per minute by hour of day and day of week
Geographic distributionWhich countries your users request from
User behaviorRequests per session, endpoint variety per user
AuthenticationLogin attempt rate, failure rate, device variety
Data accessRecords returned per API response, per user per day
These baselines are statistical — each is a running mean and standard deviation, updated continuously with exponential smoothing so they adapt to gradual changes in your app’s traffic without forgetting its history. The anomaly threshold is 3 standard deviations (3σ) from the mean. At that threshold, the false positive rate on normally distributed data is about 0.3%. Your dashboard shows the learning progress in real time: 
┌─────────────────────────────────────────────────────┐
│  LintLiot is learning your app's normal behavior     │
│                                                      │
│  Day 4 of 7  ████████████░░░░░░░░  57% complete      │
│                                                      │
│  Traffic patterns:     ✓ Learned                    │
│  Geographic patterns:  ✓ Learned                    │
│  User behavior:        ⟳ Learning...               │
│  Auth patterns:        ⟳ Learning...               │
│  Data access:          ○ Pending                    │
│                                                      │
│  Your app is still protected by standard rules.      │
│  Personalized protection activates on Day 8.         │
└─────────────────────────────────────────────────────┘
Your app is protected throughout learning mode. WAF rules, bot detection, IP blocklist checks, and standard rate limiting are all active from the first request. Learning mode only affects the personalized behavioral thresholds.

The request lifecycle

Every inbound request passes through up to seven checks in sequence before your application code runs. Each check runs in under 1ms — the total SDK overhead is under 1ms at p99. 
Incoming request


1. Global blocklist check
   (IPs blocked across all LintLiot apps)


2. IP intelligence
   (per-app allowlist/blocklist rules)


3. Bot detection
   (12-signal fingerprint scoring)


4. WAF pattern matching
   (150+ rules: SQLi, XSS, SSRF, path traversal, etc.)


5. Rate limit check
   (baseline-relative after Day 8; floor applies immediately)


6. Session fingerprint validation
   (detects session hijacking and impossible travel)


7. Route sensitivity enforcement
   (automatic protection for /admin*, /payment*, /export*, etc.)


Your application code runs


Outgoing response
   → Record count logged (exfiltration detection)
   → Event pushed to pipeline (async, non-blocking)
   → Behavioral baseline updated
Each check results in one of three outcomes:
  • Allow — the request continues to the next check
  • Block — a 403 or 429 response is returned immediately; the request never reaches your code
  • Monitor — the request passes but the event is logged for analysis
All blocked events appear in your dashboard in real time.

Enforcement mode

On Day 8, you receive an email and a dashboard notification: your app’s security profile is ready. A single button enables enforcement mode. When you enable enforcement, several things change: Rate limiting becomes personalized. Instead of a generic request limit, the threshold becomes: baseline mean + (3 × baseline standard deviation). An IP that your app normally sees 2 requests per minute from would need to reach about 8–10 requests per minute before being rate-limited — not an arbitrary flat number. Anomaly detection activates blocking. Patterns that were logged-only during learning now trigger automatic responses. This includes:
  • Brute force — 3 failed logins from the same IP in 60 seconds triggers a 10-minute block; 30+ failures escalates to 24 hours
  • Credential stuffing — 20 unique IPs targeting the same account with failures in 5 minutes blocks all involved IPs and alerts you
  • Impossible travel — a user logging in from two locations too far apart for the elapsed time invalidates the second session and sends you an immediate critical alert
  • Data exfiltration — a user pulling records at more than 3σ above their normal volume triggers throttling and an alert
Route sensitivity enforces automatically. Endpoints matching sensitive patterns are protected regardless of your application code:
PatternProtection applied
/admin*, /api/admin*Admin role required
/delete*, /remove*, /destroy*Re-authentication if session is over 30 minutes old
/export*, /download*, /report*Egress monitoring, rate limited to 10 requests/hour
/payment*, /billing*, /checkout*Full request payload logged for audit trail
/bulk*, /batch*Record count monitoring with exfiltration threshold
You can override any of these rules from the dashboard in under a minute.

The security score

Your Security Score (0–100) is a single number that reflects your app’s overall security posture. It updates immediately whenever something relevant changes. The score is calculated as: 
score = 100
      − (critical open findings × 15)
      − (high open findings × 7)
      − (medium open findings × 3)
      − (low open findings × 1)
      − (active threats in last 24h × 5)
      − (failing critical compliance controls × 10)
      − (10 if still in learning mode)
      − (8 if no MFA detected)
      + (5 if all compliance frameworks passing)
      + (encryption coverage % × 0.1)
The score is clamped between 0 and 100.

Score bands

ScoreStatusWhat it means
90–100ExcellentNo critical issues. Safe to share your Security Certificate with enterprise prospects.
75–89GoodMinor open issues. Nothing critical.
60–74FairSome open findings that need attention.
40–59PoorActive risks. Prioritize resolving findings.
0–39CriticalActive threats or critical vulnerabilities present.

What triggers a score update

The score recalculates immediately when:
  • A new scan finding is added or resolved
  • A compliance control status changes
  • A critical security event is detected
  • You enable or disable learning mode
  • Emergency lockdown is activated or lifted
The fastest way to raise your score is to resolve open findings from the Scanner page. Fixing one critical finding adds up to 15 points.

The global threat network

Every LintLiot-protected app contributes anonymized threat data to a shared network. When an IP attacks any app in the network, it’s added to the global blocklist and propagated to every other app via Edge Config within 60 seconds. New CVE disclosures affecting your dependencies trigger an alert automatically — checked every 6 hours against published vulnerability databases. All shared threat data is anonymized. IP addresses are shared as-is (not considered PII under GDPR). Attack payloads are hashed and never stored in plaintext. Your user data never leaves your database.