Disclaimer

Please read this carefully before relying on Waterwall to protect anything you care about.

No warranty

Waterwall is free and open-source software distributed under the MIT License. To the maximum extent permitted by law, it comes with no warranty — express or implied — including but not limited to merchantability, fitness for a particular purpose, and non-infringement. The authors and contributors are not liable for any claim, damages, data loss, credential exposure, or other liability arising from its use.

It is a homelab tool, not a security product

Waterwall is built for a single trusted operator on their own host. It is explicitly not:

• a multi-tenant or managed service,
• a substitute for a secrets manager, a DLP product, or a compliance program,
• tamper-proof — it is tamper-evident, and a root user on the host can forge its audit signatures (see the Threat Model),
• a guarantee that every secret is caught. Redaction is pattern-based; an unknown credential format passes through until you add a pattern for it, and encoded payloads are not scanned.

Not advice

Nothing in this documentation is legal, compliance, or professional security advice. The compliance-framework tags Waterwall attaches to its audit log are informational mappings, not a certification or an attestation of compliance with SOC 2, the EU AI Act, OWASP, MITRE ATLAS, NIST, or any other framework.

Your responsibilities

By using Waterwall you accept that you are responsible for:

• validating that it actually redacts what you expect in your environment before trusting it,
• protecting the signing key and CA key,
• keeping dependencies and clients up to date and re-verifying TLS interception after upgrades,
• complying with all laws, contracts, and provider terms of service that apply to intercepting and modifying your own API traffic.

If you do not accept these terms, do not use the software.