API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
WAAP
WAAP
About WAAPBilling
Configure WAAP for a domainWAAP modesManage domains protected with WAAP
Protocol validationWAF and OWASP top threatsIP reputationBehavioral WAFAnti-automation and bot protectionCMS protectionCommon automated servicesAdvanced API protection
Allow and block IP addresses in firewall
Configure API access with reserved tags
Advanced rate limiting rulesAdvanced rule objects and attributesSource field objects
Create and manage custom rules
Reserved tagsPredefined tags
Create custom response pagesManage custom response pages
How does JavaScript injection work?What cookies are used by WAAP?What storage variables does WAAP use?
Enable and troubleshoot bot protectionTroubleshoot blocked usersTroubleshoot 5xx errors
API
Chosen image
Home/WAAP/WAAP rules

WAAP rules

WAAP rules allow you to specify how to inspect web requests to your domain and what actions to take when a request matches certain criteria. This helps protect your applications from common threats such as SQL injection, cross-site scripting (XSS), and other malicious activities.

For example, you can create a rule to block any request with common SQL injection patterns or require CAPTCHA validation to prevent spam.

What rules can you create?

Depending on your plan, you can create the following rules:

  • Firewall rules (allow and block IP addresses): Easy to configure and designed for use cases when you need a straightforward, simple tool to manage IP access to your domain. These rules form access control lists (ACLs) and are free for any plan that includes our WAAP product.

  • Custom rules: These rules compose of “if/then” statements and cover more complicated scenarios, such as filtering requests from specified countries or organizations.

  • Advanced rules: Designed for technical users who need even more control over rule creation. Can be configured via API and are available within the WAAP Enterprise plan.

Rule criteria

For any WAAP rule, it’s important to define the criteria that will put that rule into action. You can create WAAP rules based on a variety of conditions:

  • Origin of the IP or IP range.

  • Country or geographical location of the request.

  • Length of a specified part of the request, such as query string.

  • Strings that appear in the request. For example, values that appear in the user-agent header or text strings from the query string.

  • Specific tags.

  • SQL code that’s likely to be malicious and used to extract data from your database, also known as SQL injection.

  • Requests with potentially malicious scripts that can exploit vulnerabilities in web applications. This is known as cross-site scripting (XSS).

  • Some rule types take sets of criteria. For example, you can specify up to 10,000 IP addresses or IP address ranges in an IP address rule.

Was this article helpful?

Edit on GitHub