Limitations

Dhal is not a complete security platform.

Not a DDoS shield

Dhal runs after traffic reaches your Node process. It cannot stop upstream bandwidth exhaustion.

Use CDN, cloud, or network-level DDoS controls.

Dhal does not replace authentication, authorization, session management, or password security.

Dhal detects suspicious request patterns, but your app must still validate and sanitize input according to business rules.

No WAF guarantees complete protection. Treat Dhal as one layer in a defense-in-depth strategy.

Dhal is pre-1.0. Pin versions and test policy changes before enforcement.