Virtual Happy Hour this month, Jun 28, we'll be getting a sneak preview at our soon to launch SaaS CMS!

Try our conversational search powered by Generative AI!

Reis Holmes
Apr 8, 2020
(5 votes)

Web Application Firewall (WAF) Rules on DXP

Web Application Firewall (WAF) rules help security within your Digital Experience Platform (DXP).   

What are WAF Rules?

The Web Application Firewall monitors website traffic and filters any traffic it considers illegitimate.

A WAF rule compares an element of a web request against a defined user pattern. If the rule makes a match, the rule applies an action to a website.  In practical terms this could be as simple as:

IF ‘Country’ EQUALS ‘Sweden’ THEN ‘Block’

In this example, web requests that have the Swedish country code are blocked from access to the website.

A more complex example could be:

IF ‘Country’ DOES NOT EQUAL 'Germany' AND 'URI PATH' EQUALS 'api' AND 'Request Method' EQUALS 'POST' THEN 'Block'

In this example, web requests that have a path of 'api' making a 'POST' request and from any country code not matching Germany’s country code is blocked from access to the website.

Over the course of a website development lifecycle, the default WAF ruleset may not completely align with business requirements. Scenarios can arise where there is a need for more rule granularity. Episerver can apply more specific actions on WAF rules.

Should I use custom WAF rules?

You should use WAF rules sparingly, because rules introduce another complexity to website management, and many sites on the DXP platform do not require them.

The general recommendation for the DXP is to perform as much as possible in code. Try to achieve the desired result in your code-base to provide you the most visibility, flexibility, speed, and ease of management for your project. For example, here are some common requests:

  • I would like to lockdown my editor login page to a specific IP address.
  • I would like my integration/pre-production environments to only be visible from my office network.

These requests could be written through WAF rules, but instead you should utilise rewrite rules in your web.config and make the rules part of your code.

See the examples at the end of this article for common requests that can become WAF rules.

How do I use WAF rules?

Visit our support page to see if your query is already answered in our self-help resources. If your query is not answered, and you are an eligible customer or partner, then raise a support ticket, being specific to speed resolution time. It is helpful if you can also cite a business use case to provide further context to what you are trying to accomplish.

It’s helpful to think of a WAF rule as performing either an Allow, Block, or Bypassing a built-in security feature of the firewall.


Here are some common examples of when a WAF rule could be used. You can use the following templates as examples for how to structure your support query with pseudocode:

  • I am trying to achieve the following result for my site <> and would like to know if it this can be performed in code or if it should be performed through WAF rules:

IF 'Country' DOES NOT EQUAL 'Sweden' AND 'URI Path' EQUALS 'api' THEN 'BLOCK'

  • We use an external payment provider with a public IP address of that performs POST attempts to '/payment' on our site. These requests appear to be being blocked by the firewall, can you whitelist our payment provider? Here is the desired result:


  • We use a third-party website crawler for search engine optimizations but it is being CAPTCHA-challenged on our site <>. The crawler is identifiable through a portion of the user-agent containing 'my-cool-webcrawler-2.2'. Can you please make sure this is allowed?

IF 'User Agent' CONTAINS 'my-cool-webcrawler-2.2' THEN 'Allow'

  • Our website is under constant attack from IP addresses in India. We are a UK business and do not ship outside of the UK.  Can we block India as a country to prevent these attacks from hitting our site?'

IF 'Country' EQUALS 'India' THEN 'BLOCK'

Apr 08, 2020


Please login to comment.
Latest blogs
Enhancing online shopping through Optimizely's personalized product recommendations

In this blog, I have summarized my experience of using and learning product recommendation feature of Optimizely Personalization Artificial...

Hetaxi | Jun 18, 2024

New Series: Building a .NET Core headless site on Optimizely Graph and SaaS CMS

Welcome to this new multi-post series where you can follow along as I indulge in yet another crazy experiment: Can we make our beloved Alloy site r...

Allan Thraen | Jun 14, 2024 | Syndicated blog

Inspect In Index is finally back

EPiCode.InspectInIndex was released 9 years ago . The Search and Navigation addon is now finally upgraded to support Optimizely CMS 12....

Haakon Peder Haugsten | Jun 14, 2024

Change the IP HTTP Header used for geo-lookup in Application Insights


Johan Kronberg | Jun 10, 2024 | Syndicated blog

Copying property values

In this article I’d like to show simple Edit Mode extension for copying property values to other language versions. In one of my previous blogposts...

Grzegorz Wiecheć | Jun 8, 2024 | Syndicated blog

Auto-translate with OpenAI GPT-4o in Optimizely CMS

Improvements for Episerver.Labs.LanguageManager! It's now possible to auto-translate both a page and its children at the same time! Additionally, m...

Tomas Hensrud Gulla | Jun 7, 2024 | Syndicated blog