Modes

Dhal has four modes.

Mode	Behavior	Recommended use
`off`	Disable inspection decisions	Temporary disablement only
`monitor`	Detect and log without blocking globally	First install and dry-run
`block`	Actively block matched requests	Route-level enforcement after review
`strict`	Aggressive enforcement	Hardened internal APIs only

Start in monitor

{
  "mode": "monitor"
}

This gives you visibility without breaking traffic.

Enforce by route

Prefer route-level enforcement:

{
  "mode": "monitor",
  "routes": {
    "/api/login": {
      "mode": "block",
      "rateLimit": {
        "windowSeconds": 60,
        "max": 5,
        "keyBy": ["ip", "route"]
      },
      "rules": {
        "credentialStuffing": true,
        "bot": true
      }
    }
  }
}

Avoid global strict early

Do not switch a new production install directly to global strict. Use dhal replay, dhal doctor, and route-specific profiles first.

Start in monitor​

Enforce by route​

Avoid global strict early​

Start in monitor

Enforce by route

Avoid global strict early