Reis Holmes
Apr 8, 2020
(5 votes)

Web Application Firewall (WAF) Rules on DXP

Web Application Firewall (WAF) rules help security within your Digital Experience Platform (DXP).   

What are WAF Rules?

The Web Application Firewall monitors website traffic and filters any traffic it considers illegitimate.

A WAF rule compares an element of a web request against a defined user pattern. If the rule makes a match, the rule applies an action to a website.  In practical terms this could be as simple as:

IF ‘Country’ EQUALS ‘Sweden’ THEN ‘Block’

In this example, web requests that have the Swedish country code are blocked from access to the website.

A more complex example could be:

IF ‘Country’ DOES NOT EQUAL 'Germany' AND 'URI PATH' EQUALS 'api' AND 'Request Method' EQUALS 'POST' THEN 'Block'

In this example, web requests that have a path of 'api' making a 'POST' request and from any country code not matching Germany’s country code is blocked from access to the website.

Over the course of a website development lifecycle, the default WAF ruleset may not completely align with business requirements. Scenarios can arise where there is a need for more rule granularity. Episerver can apply more specific actions on WAF rules.

Should I use custom WAF rules?

You should use WAF rules sparingly, because rules introduce another complexity to website management, and many sites on the DXP platform do not require them.

The general recommendation for the DXP is to perform as much as possible in code. Try to achieve the desired result in your code-base to provide you the most visibility, flexibility, speed, and ease of management for your project. For example, here are some common requests:

  • I would like to lockdown my editor login page to a specific IP address.
  • I would like my integration/pre-production environments to only be visible from my office network.

These requests could be written through WAF rules, but instead you should utilise rewrite rules in your web.config and make the rules part of your code.

See the examples at the end of this article for common requests that can become WAF rules.

How do I use WAF rules?

Visit our support page to see if your query is already answered in our self-help resources. If your query is not answered, and you are an eligible customer or partner, then raise a support ticket, being specific to speed resolution time. It is helpful if you can also cite a business use case to provide further context to what you are trying to accomplish.

It’s helpful to think of a WAF rule as performing either an Allow, Block, or Bypassing a built-in security feature of the firewall.


Here are some common examples of when a WAF rule could be used. You can use the following templates as examples for how to structure your support query with pseudocode:

  • I am trying to achieve the following result for my site <> and would like to know if it this can be performed in code or if it should be performed through WAF rules:

IF 'Country' DOES NOT EQUAL 'Sweden' AND 'URI Path' EQUALS 'api' THEN 'BLOCK'

  • We use an external payment provider with a public IP address of that performs POST attempts to '/payment' on our site. These requests appear to be being blocked by the firewall, can you whitelist our payment provider? Here is the desired result:


  • We use a third-party website crawler for search engine optimizations but it is being CAPTCHA-challenged on our site <>. The crawler is identifiable through a portion of the user-agent containing 'my-cool-webcrawler-2.2'. Can you please make sure this is allowed?

IF 'User Agent' CONTAINS 'my-cool-webcrawler-2.2' THEN 'Allow'

  • Our website is under constant attack from IP addresses in India. We are a UK business and do not ship outside of the UK.  Can we block India as a country to prevent these attacks from hitting our site?'

IF 'Country' EQUALS 'India' THEN 'BLOCK'

Apr 08, 2020


Please login to comment.
Latest blogs
Content Graph - Letting GraphQL do all the hard work for you

Background As we have seen before, setting up Content Graph on the CMS side is pretty easy. However, when it comes to the “head” part of the setup,...

| May 26, 2023 | Syndicated blog

Improved headless functionality in Customized Commerce

Did you know that with the release of Content Delivery Commerce API 3.7 we have massively improved the out of the box headless capabilities of...

Marcus Hoffmann | May 25, 2023

Boost Your Productivity with the AI Assistant Addon for Optimizely Content Cloud

In today's fast-paced digital world, efficiency and convenience are paramount. That's why we're excited to introduce the Optimizely AI-Assistant...

Luc Gosso (MVP) | May 25, 2023 | Syndicated blog

Swapcode.Optimizely.AuditLog updated to v1.4.1

If you are using my audit log add-on Swapcode.Optimizely.AuditLog then I suggest that you update it in your solution. I've been waiting now for few...

Antti Alasvuo | May 20, 2023