Web Application Firewall (WAF) Rules on DXP

Web Application Firewall (WAF) rules help security within your Digital Experience Platform (DXP).   

What are WAF Rules?

The Web Application Firewall monitors website traffic and filters any traffic it considers illegitimate.

A WAF rule compares an element of a web request against a defined user pattern. If the rule makes a match, the rule applies an action to a website.  In practical terms this could be as simple as:

IF ‘Country’ EQUALS ‘Sweden’ THEN ‘Block’

In this example, web requests that have the Swedish country code are blocked from access to the website.

A more complex example could be:

IF ‘Country’ DOES NOT EQUAL 'Germany' AND 'URI PATH' EQUALS 'api' AND 'Request Method' EQUALS 'POST' THEN 'Block'

In this example, web requests that have a path of 'api' making a 'POST' request and from any country code not matching Germany’s country code is blocked from access to the website.

Over the course of a website development lifecycle, the default WAF ruleset may not completely align with business requirements. Scenarios can arise where there is a need for more rule granularity. Episerver can apply more specific actions on WAF rules.

Should I use custom WAF rules?

You should use WAF rules sparingly, because rules introduce another complexity to website management, and many sites on the DXP platform do not require them.

The general recommendation for the DXP is to perform as much as possible in code. Try to achieve the desired result in your code-base to provide you the most visibility, flexibility, speed, and ease of management for your project. For example, here are some common requests:

• I would like to lockdown my editor login page to a specific IP address.
• I would like my integration/pre-production environments to only be visible from my office network.

These requests could be written through WAF rules, but instead you should utilise rewrite rules in your web.config and make the rules part of your code.

See the examples at the end of this article for common requests that can become WAF rules.

How do I use WAF rules?

Visit our support page to see if your query is already answered in our self-help resources. If your query is not answered, and you are an eligible customer or partner, then raise a support ticket, being specific to speed resolution time. It is helpful if you can also cite a business use case to provide further context to what you are trying to accomplish.

It’s helpful to think of a WAF rule as performing either an Allow, Block, or Bypassing a built-in security feature of the firewall.

Examples

Here are some common examples of when a WAF rule could be used. You can use the following templates as examples for how to structure your support query with pseudocode:

• I am trying to achieve the following result for my site <www.example.com> and would like to know if it this can be performed in code or if it should be performed through WAF rules:

IF 'Country' DOES NOT EQUAL 'Sweden' AND 'URI Path' EQUALS 'api' THEN 'BLOCK'

• We use an external payment provider with a public IP address of 123.123.123.123 that performs POST attempts to '/payment' on our site. These requests appear to be being blocked by the firewall, can you whitelist our payment provider? Here is the desired result:

IF 'IP Address' EQUALS '123.123.123.123' AND 'URI PATH' EQUALS 'payment' AND 'REQUEST METHOD' EQUALS 'POST' THEN 'Bypass WAF'

• We use a third-party website crawler for search engine optimizations but it is being CAPTCHA-challenged on our site <www.mysite.com>. The crawler is identifiable through a portion of the user-agent containing 'my-cool-webcrawler-2.2'. Can you please make sure this is allowed?
  

IF 'User Agent' CONTAINS 'my-cool-webcrawler-2.2' THEN 'Allow'

• Our website is under constant attack from IP addresses in India. We are a UK business and do not ship outside of the UK.  Can we block India as a country to prevent these attacks from hitting our site?'

IF 'Country' EQUALS 'India' THEN 'BLOCK'