The Traefik module is a middleware plugin using our Go integration.

Prerequisites

Traefik v2.3+

The server-side key available in your DataDome dashboard

Installation

Adding the Plugin

Add the DataDome plugin to your Traefik static configuration:

experimental:
  plugins:
    datadome:
      moduleName: github.com/DataDome/module-traefik-package
      version: v1.0.0

[experimental.plugins.datadome]
  moduleName = "github.com/DataDome/module-traefik-package"
  version = "v1.0.0"

--experimental.plugins.datadome.modulename=github.com/DataDome/module-traefik-package
--experimental.plugins.datadome.version=v1.0.0

Configuring the Middleware

After adding the plugin, configure it as a middleware in your dynamic configuration:

http:
  middlewares:
    datadome-protection:
      plugin:
        datadome:
          serverSideKey: "YOUR_DATADOME_SERVER_SIDE_KEY" # Replace by your server-side key

[http.middlewares]
  [http.middlewares.datadome-protection.plugin.datadome]
    serverSideKey = "YOUR_DATADOME_SERVER_SIDE_KEY" # Replace by your server-side key

labels:
  - "traefik.http.middlewares.datadome-protection.plugin.datadome.serverSideKey=YOUR_DATADOME_SERVER_SIDE_KEY"  # Replace by your server-side key

Applying the Middleware

Apply the middleware to your routes:

http:
  routers:
    my-router:
      rule: "Host(`example.com`)"
      service: my-service
      middlewares:
        - datadome-protection

Important: Restart Traefik after adding or modifying plugins to load the changes.

Ingress Installation

This section covers installing the DataDome plugin on a Traefik instance running as a Kubernetes Ingress controller.

For other configuration and full Ingress options, refer to the Traefik Ingress documentation.

Additional Prerequisites

kubectl access to the cluster with permissions to apply resources in kube-system and your application namespace

Step 1: Load the plugin into Traefik

Create a HelmChartConfig resource to register the DataDome plugin via the Traefik Helm chart. This applies DataDome protection to all incoming traffic on port 80 (web) and 443 (web secure):

# traefik-plugin-config.yaml
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system # change to match your Traefik Helm release namespace
spec:
  valuesContent: |-
    experimental:
      plugins:
        datadome:
          moduleName: "github.com/DataDome/module-traefik-package"
          version: "v1.0.1"
    ports:
      web:
        middlewares:
          - default-datadome@kubernetescrd # change the namespace prefix if you deploy the Middleware resource in a namespace other than "default".
      websecure:
        middlewares:
          - default-datadome@kubernetescrd # change the namespace prefix if you deploy the Middleware resource in a namespace other than "default".

Apply and wait for Traefik to restart:

kubectl apply -f traefik-plugin-config.yaml
kubectl rollout status deployment/traefik -n kube-system --timeout=180s

Step 2: Create the DataDome middleware

# datadome-middleware.yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: datadome
  namespace: default
spec:
  plugin:
    datadome:
      serverSideKey: "<YOUR_SERVER_SIDE_KEY>"

kubectl apply -f datadome-middleware.yaml

Configuration

Field	Type	Required	Description	Default
`serverSideKey`	string	Yes	Your DataDome Server Side Key.	-
`enableGraphQLSupport`	boolean	No	Enables the support of GraphQL requests.	`false`
`enableReferrerRestoration`	boolean	No	Restores original referrer after a challenge is passed.	`false`
`endpoint`	string	No	Host of the Protection API.	`api.datadome.co`
`maximumBodySize`	integer	No	Maximum request body size (in bytes) to analyze.	25 Kb
`timeout`	integer	No	Timeout in milliseconds, after which the request will be allowed.	`150`
`urlPatternExclusion`	string	No	Regex to match to exclude requests from being processed with the Protection API. If not defined, all requests will be processed.	`(?i)\.(avi\|avif\|bmp\|css\|eot\|flac\|flv\|gif\|gz\|ico\|jpeg\|jpg\|js\|json\|less\|map\|mka\|mkv\|mov\|mp3\|mp4\|mpeg\|mpg\|ogg\|ogm\|opus\|otf\|png\|svg\|svgz\|swf\|ttf\|wav\|webm\|webp\|woff\|woff2\|xml\|zip)$`
`urlPatternInclusion`	string	No	Regex to match to process the request with the Protection API. If not defined, all requests that don't match `urlPatternExclusion` will be processed.	-
`useXForwardedHost`	boolean	No	Use the `X-Forwarded-Host` header instead of the `Host` header when the application is behind a reverse proxy/load balancer.	`false`

Find below an example of configuration:

http:
  middlewares:
    datadome-protection:
      plugin:
        datadome:
          serverSideKey: "YOUR_DATADOME_SERVER_SIDE_KEY"
          timeout: 300
          enableGraphQLSupport: true
          useXForwardedHost: true