Web Application Firewall (WAF)

Web Application Firewalls, or WAFs, protect web applications from common malicious attacks such as cross-site-scripting (XSS) and SQL injections. Essentially, they act as a type of wall or shield between your web application and the internet. If you have your own CDN for your project, you’ll likely have your own WAF.

If you choose to go with the default CDN for Magnolia PaaS, you’ll be protected with the Fastly WAF.

The Fastly WAF inspects the web traffic at the HTTP application layer by looking at all HTTP and HTTPS requests (both header and body included). This can be configured specifically for your deployment.

Check it out!

You can view the requests handled by your Web Application Firewall directly under the WAF tab in the Logs section of the Cockpit.

waf overview

For more details, check out Fastly’s WAF page.

Default settings

By default, your Magnolia PaaS deployment has WAF activated with a certain set of rules on your prod Clusters.

Table 1. Rule set
Rule Notes

owasp

Contains approximately 200 rules to protect against the top 10 vectors such as cross-site-scripting attacks and injections like SQL injections.

See here for more information on the top attack vectors.

application-multi

Contains dozens of rules that detect application-specific threats such as CVEs as well as request anomalies such as missing UAs, XFF mismatch and so on.

WAF configuration for your project

Magnolia PaaS typically provides an aggressive set of security rules out-of-the-box. We can disable rules or add rule exclusions to handle false positives to fit your specific project.

The Fastly WAF filters requests through a set of security rules that match patterns known to be associated with malicious traffic. There are three types of rules:

  • Scoring rules: Rules which, when matched, do not immediately flag the request, but will contribute a score to a category and an overall total. Rules based on the OWASP core ruleset are scoring rules, as are some Fastly rules.

  • Strict rules: Strict rules are those which will, when matched, immediately flag a request. Most Fastly rules and all Trustwave rules are strict.

  • Threshold rules: Rules which flag a request if a scoring category or the total anomaly score exceeds a configured threshold. Threshold rules work in conjunction with scoring rules, and do not match on characteristics of the request, but instead match on the current value of an anomaly score.

— Fastly docs
WAF filters
Feedback