Live

Platform X-Ray

Every hop, every header, every contract — made visible.

Request Path
🌐
Browser
You
🛡️
App Gateway
TLS · WAF
🔑
APIM
JWT · Headers
🔒
bff-auth
Session · CSRF
Your App
frontend · backend
App Gateway terminates TLS and enforces WAF rules
APIM validates the JWT and injects X-User-* identity headers
bff-auth manages the session cookie and enforces CSRF on state-changing requests
Your containers receive clean, pre-validated requests — no JWT parsing needed
Your Identity
X-User-Name
···
X-User-UPN
···
X-User-OID
···
Backend served at
···
APIM-Injected Headers
Backend Container Info
Container App
 
Revision
 
Replica
 
Python
 
Uptime
 
Health Monitor polls every 5s
Connecting…
CSRF Contract Demo

bff-auth enforces three requirements on state-changing requests: X-CSRF, Content-Type: application/json, and a JSON-parseable body. The safe button uses bff(); the unsafe one bypasses it.

Click a button above…
Sticky Board polls every 3s
280
📌
Loading notes…
Break the Platform

Six attacks. Six layers of defence. Try to break through — every attack gets stopped and explained.

🛡️ 0 / 6 blocked
🎉 Platform defended every attack!