Web Application Firewall (WAF)
Web Application Firewalls, or WAFs, protect web applications from common malicious attacks such as cross-site-scripting (XSS) and SQL injections. Essentially, they act as a type of wall or shield between your web application and the internet. If you have your own CDN for your project, you’ll likely have your own WAF.
If you choose to go with the default CDN for Magnolia PaaS, you’ll be protected with the Fastly WAF.
The Fastly WAF inspects the web traffic at the HTTP application layer by looking at all HTTP and HTTPS requests (both header and body included). This can be configured specifically for your deployment.
For more details, check out Fastly’s WAF page.
By default, your Magnolia PaaS deployment has WAF activated with a certain set of rules on your
Contains approximately 200 rules to protect against the top 10 vectors such as cross-site-scripting attacks and injections like SQL injections.
Contains dozens of rules that detect application-specific threats such as CVEs as well as request anomalies such as missing UAs, XFF mismatch and so on.
WAF configuration for your project
Magnolia PaaS typically provides an aggressive set of security rules out-of-the-box. We can disable rules or add rule exclusions to handle false positives to fit your specific project.
The Fastly WAF filters requests through a set of security rules that match patterns known to be associated with malicious traffic. There are three types of rules:
Scoring rules: Rules which, when matched, do not immediately flag the request, but will contribute a score to a category and an overall total. Rules based on the OWASP core ruleset are scoring rules, as are some Fastly rules.
Strict rules: Strict rules are those which will, when matched, immediately flag a request. Most Fastly rules and all Trustwave rules are strict.
Threshold rules: Rules which flag a request if a scoring category or the total anomaly score exceeds a configured threshold. Threshold rules work in conjunction with scoring rules, and do not match on characteristics of the request, but instead match on the current value of an anomaly score.