You can use this document to review available WAF settings.
To access WAF settings:
- In the StackPath Control Portal, in the left-side navigation, click Sites.
- Locate and select the desired site.
- In the left-side navigation, click WAF.
Review WAF settings
You can use this setting to enable Monitor mode or Protect mode for the WAF.
In Protect mode, all policies and rules are activated as configured. In other words, in Protect mode, the WAF will actively protect your site.
In Monitor mode, the WAF will allow all traffic to your site; however, the WAF will log requests and corresponding policies to help you understand the type of traffic that will be allowed or blocked. This mode is useful to help you observe, fine tune, and configure the WAF before switching to Protect mode.
|API URL Configuration||
You can use this setting to add API endpoints to the WAF.
If your web application uses an API that is implemented on the same domain, then you must configure the WAF to add an endpoint.
You can use this setting to configure the thresholds to trigger DDoS protection.
|WAP & OWASP Top Threats||
You can use this setting to enable StackPath's core policies, as well as OWASP’s most critical web-application security risks.
You can use this setting to block requests with missing or invalid user agent string.
You can use this setting to generate and add a Cross-Site Request Forgery(CSRF) token to the forms on your site.
Requests without a valid CSRF token will be blocked.
You can use this setting to check for the source of a request, and then allow or block the request, based on real-time threat intelligence (IP address, source location, and more).
|Anti-Automation & Bot Protection||You can use this setting to help block bots and other types of non-legitimate automated traffic.|
|Spam and Abuse||
You can use this setting to help stop automated form submissions on a spammer's first attempt.
|Behavioral WAF (advanced threat protection)||You can use this setting to allow or block traffic, based on user behavior and reputation analysis rules.|
You can use this setting to allow the backend functions of a CMS to function without being blocked or challenged by the WAF.
|Allow Known Bots||You can use this setting to allow known bots.|
To learn about the StackPath at a high level, see Learn About the StackPath WAF.
To learn how to create custom WAF rules, see Create Custom WAF Rules.
To learn how to view and understand WAF analytics, see View WAF Analytics.