WAF Protection

Enabled by default when creating proxy zones, WAF is a layered approach to security and an important component of a multitiered approach to bad actor mitigation.

Though not intended to be a protection from all possible bad actors, WAF protects production and development storefront host-names from certain code-level vulnerabilities. These vulnerabilities can include SQL injection attacks, cross-site scripting, and Open Web Application Security Project (OWASP)-identified threats targeting the application layer.

When using WAF, keep the following in mind:

• WAF can stop a bot attempting to exploit common code vulnerabilities. However, WAF can miss a bot attempting to brute force coupon codes because the request is a legitimate HTTP and web form request.

  Contact your account team for management solutions from one of our recommended bot-specific partners, if applicable.

• The OWASP rule set can either be on or off. WAF doesn't support customizing individual rules within the OWASP rule set.
• IP and geographic blocking are not currently supported. If an IP address or geolocation is causing concern, contact support.

WAF monitors Internet traffic, examining all HTTP or HTTPS (full site) and Ajax (small data snippet) requests made to your storefront. It incorporates the OWASP most common web application vulnerabilities to determine an effective rule set. Rules can be based on multiple request attributes such as user-agent, path, country, query string, IP address, and more.

WAF performs several functions to help protect your storefront.

• Inspects website addresses or URLs to detect anything out of the ordinary.
• Filters out malicious traffic attempting to exploit certain application vulnerabilities.
• Helps prevent bad actor threats from exploiting code vulnerabilities.

WAF default settings provide a sensitivity mode of Low and an action of Challenge.