Gaming industry under DDoS attack. Get DDoS protection now. Start onboarding
Under attack? Log in
Sign up for free

Products

Solutions

Pricing

Resources

Partners

Why Gcore

Under attack?
Log in
Contact us
Contact us Sign up for free
  1. Home
  2. Developers
  3. How to protect login pages with Gcore WAAP

How to protect login pages with Gcore WAAP

  • By Gcore
  • September 4, 2025
  • 3 min read
How to protect login pages with Gcore WAAP

Exposed login pages are a common vulnerability across web applications. Attackers often use automated tools to guess credentials in brute-force or credential-stuffing attacks, probe for login behavior to exploit session or authentication logic, or overload your infrastructure with fake requests.

Without specific rules for login-related traffic, your application might miss these threats or apply overly broad protections that disrupt real users. Fortunately, Gcore WAAP makes it easy to defend these sensitive endpoints without touching your application code.

In this guide, we’ll show you how to use WAAP’s custom rule engine to identify login traffic and apply protections like CAPTCHA to reduce risk, block automated abuse, and maintain a smooth experience for legitimate users. We’ve also included a complete video walkthrough from Gcore’s Security Presales Engineer, Michal Zalewski.

Video walkthrough

Here’s Gcore’s Michal Zalewski giving a full walkthrough of the steps in this article.

Step 1: Access your WAAP configuration

  1. Go to portal.gcore.com and log in.
  2. Navigate to WAAP in the sidebar. If you’re not yet a WAAP user, it costs just $26/month.
  3. Select the resource that hosts your login form; for example, gcore.zalewski.cloud.

Step 2: Create a custom rule

  1. In the main panel of your selected resource, go to WAAP Rules.
  2. Click Add Custom Rule in the upper-right corner.

Step 3: Define the login page URL

Identify the login endpoint you want to protect:

  • Use tools like Burp Suite or the "Inspect" feature in your browser to verify the login page URL.
  • In Burp Suite, use the Proxy tab, or in the browser, check the Network tab to inspect a login request.
  • Look for the path (e.g., /login.php) and HTTP method (POST).

In the custom rule setup:

  • Enter the URL (e.g., /login.php).
  • Tag the request using a predefined tag. Select Login Page.

Step 4: Name and save the rule

Provide a name for the rule, such as “Login Page URL”, and save it.

Step 5: Add a CAPTCHA challenge rule

To protect the login page from automated abuse:

  1. Create a new custom rule.
  2. Name it something like “Login Page Challenge”.
  3. Under Conditions, select the previously created Login Page tag.
  4. Set the Action to CAPTCHA.
  5. Save the rule.

Step 6: Test the protection

  1. Return to your browser and turn off any proxy tools.
  2. Refresh the login page.
  3. You should now be challenged with a CAPTCHA each time the login page loads.
  4. Once the CAPTCHA is completed successfully, users can log in as usual.

Monitor, adapt, and alert

After deployment:

  • Track rate limit trigger frequency
  • Monitor WAAP logs for anomaly detection
  • Rotate exemptions or thresholds based on live behavior

For analytics, refer to the WAAP analytics documentation.

Bonus tips for hardened protection

  • Combine with bot protection: Enable WAAP’s bot mitigation to identify headless browsers and automation tools like Puppeteer or Selenium. See our bot protection docs for setup instructions.
  • Customize 429 responses: Replace default error pages with branded messages or a fallback action. Consider including a support link or CAPTCHA challenge. Check out our response pages documentation for more details.
  • Use geo or ASN exceptions: Whitelist trusted locations or block known bot-heavy ASNs if your audience is localized.

Automate it: optional API and Terraform support

Teams with IaC pipelines or security automation workflows might want to automate login page protection with rate limiting. This keeps your WAAP config version-controlled and repeatable.

You can use the WAAP API or Terraform to:

  • Create or update rules
  • Rotate session keys or thresholds
  • Export logs for auditing

Explore the WAAP API documentation and WAAP Terraform provider documentation for more details.

Stop abuse before it starts with Gcore

Login pages are high-value targets, but they don’t have to be high risk. With Gcore WAAP, setting up robust defenses takes just a few minutes. By tagging login traffic and applying challenge rules like CAPTCHA, you can reduce automated attack risk without sacrificing user experience.

As your application grows, revisit your WAAP rules regularly to adapt to new threats, add behavior-based detection, and fine-tune your protective layers. For more advanced configurations, check out our documentation or reach out to Gcore support.

Get WAAP today for just $26/month

Related articles

Subscribe to our newsletter

Get the latest industry trends, exclusive insights, and Gcore updates delivered straight to your inbox.

Subscribe