Web Application Firewall (WAF)

The Web Application Firewall (WAF) is designed to protect web applications from various network attacks, such as Cross-Site Scripting (XSS), SQL Injection, and other threats.

Parameter Description

Parameter NameData TypeRequiredDescription
rule_setsarrayYesList of names of the rule sets that need to be enabled
actionstringYesThe action to take when WAF protection is triggered, options include log (logging), 403 Forbidden (access denied), edge-captcha (OpenResty Edge captcha), redirect (redirection)
sensitivitystringYesWAF protection sensitivity level, options are high, medium, low, none
scorenumberNoCustom sensitivity score when sensitivity is set to none
clearancenumberNoThe validity period after the captcha is triggered, default value is 60 seconds
redirect_urlstringNoThe specified redirect URL when the action is set to redirect
cross_requestsboolNoSet to true to enable cross-request mode. The default value is true, recommended to be set to false
rule_sets_thresholdlistNoSet sensitivity scores individually for each rule set, which must correspond with the rule sets listed in rule_sets

You can choose to use built-in rule sets or customize your WAF ones. Below is a list of available built-in WAF rule sets:

  • scanner_detection
  • protocol_enforcement
  • protocol_attack
  • application_attack_lfi
  • application_attack_rfi
  • application_attack_rce
  • application_attack_php
  • application_attack_nodejs
  • application_attack_xss
  • application_attack_sqli
  • application_attack_session_fixation
  • application_attack_java

Configuration Example

- enable_rule: true
  - op: eq
    var: uri
    val: /waf

      - scanner_detection
      - protocol_enforcement
      - application_attack_xss
      - application_attack_sqli
    sensitivity: medium
    action: "403 Forbidden"
    cross_requests: false

In the example above, WAF is enabled when the request’s URI is /waf, and the enabled rule sets include scanner_detection, protocol_enforcement, application_attack_xss, and application_attack_sqli, with the protection sensitivity level set to medium. Once the WAF protection mechanism is triggered, the action is performed, and the HTTP status code 403 is returned, indicating that the request is forbidden.