Skip to main content
Web Application and API Protection (WAAP) is a single SaaS tool that combines all aspects of website security and traffic management, including Layer 7 DDoS protection, and web application security. Securing an application with WAAP involves three main steps:
  1. Create a Gcore CDN resource for the domain.
  2. Enable WAAP protection in the resource settings.
  3. Verify traffic behavior to ensure legitimate requests are not blocked.
The following guide walks through this process and explains how to configure WAAP according to specific requirements.
TipAfter you enable WAAP, all traffic will be diverted to our network, and it may cause a temporary disruption for your users. We recommend setting up Gcore WAAP during a low-traffic period to minimize the impact.

Step 1. Create a CDN resource

To secure your web application and APIs with Gcore WAAP, it’s necessary to create a CDN resource associated with your website’s origin. If you also need to add an SSL certificate, check out the Add an SSL certificate to deliver content over HTTPS guide.
InfoWhen configuring a resource, you need to update your domain’s DNS records so they point to our network. This is necessary to allow all traffic to pass through WAAP.
If you don’t have Gcore CDN configured, follow the instructions from this guide: Create a CDN resource for the entire site.

Step 2. Enable WAAP in CDN resource settings

Once your CDN resource is set up, you can activate WAAP protection for it. Refer to the Protect CDN resources with Gcore WAAP guide for detailed instructions.

Step 3. Use WAAP in Monitoring mode

After you enable WAAP, it will be automatically set to the Monitoring mode. In this mode, all incoming requests are inspected, but no action is taken. It’s best to use Monitoring mode for several days before enabling the Protection mode to make sure that all security settings work correctly. Completing this step is important because it allows you to analyze requests and test the WAAP behavior before you fully activate it.
WarningIn Monitoring mode, all traffic is allowed to your domain, regardless of configured security rules and policy groups. This mode is only recommended for testing WAAP settings.

Step 4. View your domain traffic

While keeping WAAP in Monitoring mode, you can view all logged requests and check the corresponding actions that WAAP will take once you put it in Protection mode. Go through the Events pages to detect common traffic patterns and understand if the current configuration requires any adjustments. For instance, you can find information about incoming web requests on the Events page in the Requests table:
  1. In the Gcore Customer Portal, navigate to WAAP > Domains.
Domains page in the Customer Portal
  1. Find the needed domain and click its name to open it. You’ll be directed to the Overview page.
  2. In the sidebar, click Events.
  3. Review the information under Requests.
Events page in the Customer Portal showing Requests table
  1. You can also filter requests to get more granular information about your traffic:
  • All Actions: Filter requests by action type (Blocked, Monitored, Allowed, Passed, Captcha, JS Challenge).
  • Select Countries: Filter requests by country of origin.
  • Response Codes: Filter by HTTP response codes.
  • HTTP Methods: Filter by request method (GET, POST, etc.).
To view more information about a request, click the request ID and inspect the Request Details page.
Request details section open from the Events page
The screenshot above depicts a request that was blocked because of the SQL injection policy. It blocks requests if there is evidence that the request contains malicious SQL code.

Step 5. Test your WAAP configuration

To achieve the desired WAAP behavior, we recommend that you navigate through your website as both a user and administrator. Navigating the website will generate entries in the Requests table. You can use this information to determine if you need to create Firewall rules or custom WAAP rules for some requests and let them access your website’s content. Specifically, review requests that relate to:
  • Your origin IP: IP address assigned to your device.
  • Your office IP: IP address assigned to your device within your office’s network.
  • Your workstation IP: IP address assigned to a workstation or specific computer in a network.
If you notice that WAAP will block such requests in Protection mode, you need to update your settings to prevent such a situation. You can find detailed instructions on how to update your settings in the following step. Check out the allow and block IP addresses guide for more information.

Step 6. Allow admins, bots, and CMS

Before WAAP is in Protection mode, you need to ensure that critical IP addresses, content management systems (CMS), and known bots are allowed to make successful requests. Check the WAAP policy groups for a full list of security policies and their detailed overview.

Allow admin IP addresses

If your domain doesn’t use a CMS, we highly recommend allowlisting the site administrator’s IP address:
  1. In the Gcore Customer Portal, navigate to WAAP > Firewall.
Firewall page in the Customer Portal
  1. Select the needed domain from the domain dropdown.
  2. In the Allowed IPs tab, click Add IP/IP range.
  3. Enter any admin user’s public IP address.
  4. Click Save.
Repeat these steps if needed.

Allow CMS

If you use content management systems, such as WordPress, allow traffic for CMS admins:
  1. In the Gcore Customer Portal, navigate to WAAP > Default Rules.
  2. Select the needed domain from the domain dropdown.
  3. Click the CMS Protection tab.
  4. Find the desired content management system and change its mode to Allow by clicking on the mode dropdown next to it.
Default Rules page with CMS Protection tab
TipThe WordPress WAF ruleset policy is enabled by default.

Allow Known Bots

Follow these steps to allow crawlers, scanners, monitoring bots, and similar tools to access your website:
  1. In the Gcore Customer Portal, navigate to WAAP > Bot Management.
  2. Select the needed domain from the domain dropdown.
  3. Click the Known Bots tab and enable the desired bot by changing its mode to Allow.
Bot Management page with Known Bots tab
The Known Bots list allows several trusted bots by default, which is why we recommend reviewing this list before enabling Protection mode.

Step 7. Configure your APIs

If you plan to serve JSON requests through an API on your domain, you can disable the JavaScript injection and CAPTCHA functionalities for specified API endpoints. You can manually add endpoints to API base path or configure the API Discovery feature to automatically detect and protect your APIs.

Step 8. Enable Protection mode

  1. In the Gcore Customer Portal, navigate to WAAP > Domains.
  2. Find the needed domain in the list.
  3. In the WAAP domain mode column, click the mode dropdown and select Protection. WAAP will begin to inspect and act upon incoming requests.
WAAP modes dropdown on Domains page

Step 9. Block non-Gcore traffic

After successful DNS propagation and verifying that domain-based traffic is being handled by WAAP, ensure that all requests to your domain are routed through Gcore servers. This is necessary to prevent unauthorized traffic from bypassing WAAP and directly reaching your domain.