Skip to main content
Gcore WAAP (Web Application and API Protection) protects websites, web applications, and APIs against application-layer attacks, bots, API abuse, and common web vulnerabilities. Traffic is inspected in real time using predefined security policies, behavioral analysis, and threat intelligence. It provides immediate protection with default configurations while allowing granular customization through policies, rules, and advanced controls. WAAP combines multiple security layers within a single platform:
  • Traffic visibility and analytics – Dashboards, detailed events, and CSV export of event data.
  • Application-layer protection – Default WAF policies, behavioral protection, and L7 DDoS mitigation.
  • Custom security controls – Custom rules, rate limiting, and advanced filtering logic.
  • IP and access control – Allowlists, denylists, and IP reputation intelligence.
  • Bot management – Detection and mitigation of malicious automation.
  • API protection – API discovery, schema enforcement, and API-specific controls.
  • Threat intelligence – Security insights and attacker visibility.
  • Custom response pages – Controlled responses for blocked or challenged requests.
For domains that are not yet configured in Gcore, follow the guide to Configure WAAP for a new domain. After activation, protected domains can be managed from the Domains section in the Gcore Customer Portal. See Manage domains protected with WAAP.