Skip to main content
The Web Application and API Protection (WAAP) includes a Behavioral WAF policy group that helps prevent malicious attacks on your websites. The policy group contains a set of sophisticated user behavior and reputation analysis policies that inspect traffic and defend your website against threats such as spamming or brute force attacks.
InfoThis policy group is available in the Pro and Enterprise plans.

Configure Behavioral WAF rules

You can review the Behavioral WAF rules and enable or disable them in the Gcore Customer Portal: 1. Navigate to WAAP > Default Rules. 2. In the domain dropdown at the top of the page, select the needed domain. 3. Click the Behavioral WAF tab to view and adjust the rules.
InfoMost Behavioral WAF policies are enabled by default, except for Repeated violations. To change a policy mode, click the dropdown near that policy.

Probing and forced browsing

Use CAPTCHA and JavaScript validation to challenge brute-forced requests on random URLs, which might aim to discover your web application’s structure and hidden directories. Requests that fail to pass the validation will be blocked.

Obfuscated attacks and zero-day mitigation

Block clients that perform multiple injection attacks.

Repeated violations

Present with CAPTCHA or block those clients that failed to answer a previously displayed challenge. Requests that fail to pass the validation will be blocked.

Brute-force protection

Present users with CAPTCHA when there’s an attempt to guess usernames and passwords on web login forms. If the client fails to pass the validation after a few attempts, the request will be blocked.