AI OnAI Off
Reis Holmes
Reis Holmes  -  DXP
Apr 8, 2020
  6354
(5 votes)

Web Application Firewall (WAF) Rules on DXP

Web Application Firewall (WAF) rules help security within your Digital Experience Platform (DXP).   

What are WAF Rules?

The Web Application Firewall monitors website traffic and filters any traffic it considers illegitimate.

A WAF rule compares an element of a web request against a defined user pattern. If the rule makes a match, the rule applies an action to a website.  In practical terms this could be as simple as:

IF ‘Country’ EQUALS ‘Sweden’ THEN ‘Block’

In this example, web requests that have the Swedish country code are blocked from access to the website.

A more complex example could be:

IF ‘Country’ DOES NOT EQUAL 'Germany' AND 'URI PATH' EQUALS 'api' AND 'Request Method' EQUALS 'POST' THEN 'Block'

In this example, web requests that have a path of 'api' making a 'POST' request and from any country code not matching Germany’s country code is blocked from access to the website.

Over the course of a website development lifecycle, the default WAF ruleset may not completely align with business requirements. Scenarios can arise where there is a need for more rule granularity. Episerver can apply more specific actions on WAF rules.

Should I use custom WAF rules?

You should use WAF rules sparingly, because rules introduce another complexity to website management, and many sites on the DXP platform do not require them.

The general recommendation for the DXP is to perform as much as possible in code. Try to achieve the desired result in your code-base to provide you the most visibility, flexibility, speed, and ease of management for your project. For example, here are some common requests:

  • I would like to lockdown my editor login page to a specific IP address.
  • I would like my integration/pre-production environments to only be visible from my office network.

These requests could be written through WAF rules, but instead you should utilise rewrite rules in your web.config and make the rules part of your code.

See the examples at the end of this article for common requests that can become WAF rules.

How do I use WAF rules?

Visit our support page to see if your query is already answered in our self-help resources. If your query is not answered, and you are an eligible customer or partner, then raise a support ticket, being specific to speed resolution time. It is helpful if you can also cite a business use case to provide further context to what you are trying to accomplish.

It’s helpful to think of a WAF rule as performing either an Allow, Block, or Bypassing a built-in security feature of the firewall.

Examples

Here are some common examples of when a WAF rule could be used. You can use the following templates as examples for how to structure your support query with pseudocode:

  • I am trying to achieve the following result for my site <www.example.com> and would like to know if it this can be performed in code or if it should be performed through WAF rules:

IF 'Country' DOES NOT EQUAL 'Sweden' AND 'URI Path' EQUALS 'api' THEN 'BLOCK'

  • We use an external payment provider with a public IP address of 123.123.123.123 that performs POST attempts to '/payment' on our site. These requests appear to be being blocked by the firewall, can you whitelist our payment provider? Here is the desired result:

IF 'IP Address' EQUALS '123.123.123.123' AND 'URI PATH' EQUALS 'payment' AND 'REQUEST METHOD' EQUALS 'POST' THEN 'Bypass WAF'

  • We use a third-party website crawler for search engine optimizations but it is being CAPTCHA-challenged on our site <www.mysite.com>. The crawler is identifiable through a portion of the user-agent containing 'my-cool-webcrawler-2.2'. Can you please make sure this is allowed?

IF 'User Agent' CONTAINS 'my-cool-webcrawler-2.2' THEN 'Allow'

  • Our website is under constant attack from IP addresses in India. We are a UK business and do not ship outside of the UK.  Can we block India as a country to prevent these attacks from hitting our site?'

IF 'Country' EQUALS 'India' THEN 'BLOCK'

Apr 08, 2020

Comments

Please login to comment.
Latest blogs
Bypassing WAF Blocking in Optimizely CMS 11 with Custom Base64 Properties

Introduction As Optimizely developers, we frequently encounter requirements to allow editors to inject third-party scripts into the head or body of...

Amit Mittal | Mar 2, 2026

Inspect SaaS CMS Packages Without Losing Your Sanity (Package Explorer Update)

Optimizely export packages have quietly become more complex. Inline (nested) blocks in CMS 12 and PaaS solutions weren’t always displayed clearly,...

Allan Thraen | Mar 1, 2026 |

Unstoppable: Insights from Optimizely’s 2026 UK Partner day

Over 150 Optimizely partners met in Shoreditch for the 2026 London Partner Kick Off. The theme was very much Opal with a side order of Optimizely's...

Mark Welland | Feb 27, 2026

What you need to run better experiments today

A practical, end-to-end playbook for higher quality A/B tests: conditional activation, targeting, metrics, power, SRM, and decision discipline.

Hristo Bakalov | Feb 27, 2026 |

See all blogs