Overview
You can use this document to review available WAF settings.
To access WAF settings:
- In the StackPath Control Portal, in the left-side navigation, click Sites.
- Locate and select the desired site.
- In the left-side navigation, click WAF.
WAF Mode
You can use this setting to enable Monitor mode or Protect mode for the WAF.
In Protect mode, all policies and rules are activated as configured. In other words, in Protect mode, the WAF will actively protect your site.
In Monitor mode, the WAF will allow ALL traffic to your site; however, the WAF will log requests and corresponding policies to help you understand the type of traffic that will be allowed or blocked. This mode is useful to help you observe, fine tune, and configure the WAF before switching to Protect mode. L7 DDoS protection is ALWAYS active, even with the WAF in Monitor mode.
- To learn more, see Enabling Monitor Mode.
API URL Configuration
You can use this setting to add API endpoints to the WAF. If your web application uses an API that is implemented on the same domain, then you must configure the WAF by adding its endpoint. This will exclude that endpoint from the WAF's Captcha and Javascript Validation challenges.
- To learn more, see Adding API Endpoints to the StackPath WAF.
DDoS Configuration
Thresholds for DDoS protection are automatically set by StackPath. WAF Professional and WAF Enterprise customers can review and configure these thresholds by contacting support.
- To learn more, see L7 DDoS Protection.
Core WAF & OWASP Top Threats
You can use this setting to enable StackPath's core policies, as well as OWASP’s most critical web-application security risks.
- To learn more, see our article on Core WAF & OWASP Top Threats.
General Policies
You can use these settings to block requests with missing or invalid user agent strings.
- To learn more, see our article on General Policies.
User-agent policies may block legitimate traffic from tools such as Pingdom, GT Metrix, and Google PageSpeed Insights. As a result, you may need to use the Allow Known Bots setting to allow requests or you may need to create a custom rule.
To learn more, see WAF Custom Rule Editor.
IP Reputation
You can use these settings to check for the source of a request, and then allow or block the request, based on real-time threat intelligence (IP address, source location, and more).
- To learn more, see our article on IP Reputation policies.
Anti-Automation & BOT Protection
You can use these settings to help block bots and other types of non-legitimate automated traffic.
- To learn more, see our article on Anti-Automation & BOT Protection.
Behavioral WAF (Advanced Threat Protection)
You can use these settings to allow or block traffic, based on user behavior and reputation analysis rules.
- To learn more, see our article on Behavioral WAF policies.
CMS Protection
You can use these settings to allow the backend functions of a CMS to function without being blocked or challenged by the WAF.
- To learn more, see our article on CMS Protection.
All Known Bots
You can use these settings to allow or block known bots.
- To learn more, see Enabling and Troubleshooting Bot Protection.