API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
WAAP
WAAP
API
Chosen image
Home/WAAP

WAAP rules

WAAP rules allow you to specify how to inspect web requests to your domain and what actions to take when a request matches certain criteria. This helps protect your applications from common threats such as SQL injection, cross-site scripting (XSS), and other malicious activities.

For example, you can create a rule to block any request with common SQL injection patterns or require CAPTCHA validation to prevent spam.

What rules can you create?

Depending on your package level, you can create the following rules:

  • Allow/Block IP rules: Easy to configure and designed for use cases when you need a straightforward, simple tool to manage IP access to your domain. These rules form access control lists (ACLs) and are free for any plan that includes our WAAP product.

  • Custom rules: These rules compose of “if/then” statements and cover more complicated scenarios, such as filtering requests from specified countries or organizations. We offer several predefined custom rules tailored for different plans.

  • Advanced rules: Designed for technical users who need even more control over rule creation. Can be configured via API and are available within the WAAP Enterprise plan.

In addition to the above-described rules that you can configure, WAAP also contains a set of predefined WAAP rules that you can either enable or disable on the rules page.

Rule criteria

For any WAAP rule, it’s important to define the criteria that will put that rule into action. You can create WAAP rules based on a variety of conditions:

  • Origin of the IP or IP range.

  • Country or geographical location of the request.

  • Length of a specified part of the request, such as query string.

  • Strings that appear in the request. For example, values that appear in the user-agent header or text strings from the query string.

  • Specific tags.

  • SQL code that’s likely to be malicious and used to extract data from your database, also known as SQL injection.

  • Requests with potentially malicious scripts that can exploit vulnerabilities in web applications. This is known as cross-site scripting (XSS).

  • Some rule types take sets of criteria. For example, you can specify up to 10,000 IP addresses or IP address ranges in an IP address rule.

Was this article helpful?