Netlify Docs
Ask Netlify

Contact

Site & team management /Security /Secure access to sites /

Web Application Firewall

This feature is available on Enterprise plans.

# Overview

Quickly protect your site from malicious web requests with our Web Application Firewall (WAF), which blocks web attacks with preset rules.

As part of Netlify Advanced Web Security, the Web Application Firewall (WAF) is designed to protect your site without requiring extensive customization.

Note that WAF rules are evaluated after Firewall Traffic Rules and before Rate limiting rules. Learn more about rule precedence.

# Baseline ruleset

Netlify creates, maintains, and updates WAF rules as a managed service for you. The Baseline ruleset is a managed ruleset that detects common attacks we’ve found on our network as well as some common attacks documented by the OWASP Top 10 and the OWASP Core Ruleset.

With minimal configuration, this ruleset is optimized to protect your site from attacks such as:

  • cross-site scripting (XSS)
  • injection attacks
  • remote code execution (RCE)
  • other classes of attacks targeting web applications

If you want to additionally customize web security rules for your site or team’s sites, we recommend creating a traffic rule or rate limiting rule.

# Monitoring

To review changes to your site’s WAF configuration, check out your team audit log.

To monitor suspicious request activity triggered by WAF rules, we recommend setting up a log drain with a third-party log drain provider. Learn more about managing false positives.

# Rule precedence

Netlify Advanced Web Security protects your site in this order:

1. Firewall Traffic Rules: customizable rules for your site or team’s sites to block or allow traffic

2. Web Application Firewall rules: Netlify-managed rules designed to block traffic based on common attack patterns to protect your site with minimal configuration

3. Rate limiting rules: customizable rate limiting rules for your site or team’s sites with custom enforcement actions, such as blocking traffic or rewriting traffic with the rewrite to path action

# Configure the Baseline ruleset

As a Team Owner, you can configure WAF rules for a single site at a time in the Netlify UI. To help you monitor requests that trigger rules, we recommend you set up log drains with a third-party provider.

Note that people with the Developer role on your team can check how WAF is configured for a site in the Netlify UI but they cannot configure WAF.

To configure the Baseline ruleset for a site:

  1. For your site, go to

    Site configuration Access & security Web Application Firewall
    .

  2. Under Baseline Ruleset, select Configure.

  3. Select Enabled.

  4. To help prevent false positives, we strongly recommend you enable Passive mode the first time you turn on WAF. This allows our WAF to detect and log requests that trigger rules without enforcing any blocking action. Ensure you’ve set up a log drain with a third-party provider to evaluate requests in more detail.

  5. To confirm, select Save.

If you find any false positives in Passive mode, you can exclude a request pattern or disable a specific WAF rule.

# Manage false positives

As a Team Owner, to help you manage false positives, you can do the following:

  • exclude specific request patterns
  • turn off a specific rule in the Baseline ruleset
  • enable passive mode to review requests that trigger WAF rules without enforcing blocking action

To review requests that trigger WAF rules, we strongly recommend you set up a log drain with a third-party provider so you can review which requests triggered WAF rules. For help setting up a log drain, check out our log drains docs.

# Exclude a request pattern

To exclude a request pattern:

  1. For your site, go to

    Site configuration Access & security Web Application Firewall
    .

  2. Under Baseline Ruleset, select Configure.

  3. Next to Excluded patterns, add the request pattern you want to exclude. For example, exclude requests from a specific API with a request path, such as /api/.*.

  4. To confirm, select Save.

# Disable an individual WAF rule

To deactivate a specific rule from the Baseline ruleset:

  1. Go to

    Site configuration Access & security Web Application Firewall
    .

  2. Under Baseline Ruleset, select Configure.

  3. Select Rules to review rules in the ruleset.

  4. Find the rule you want to disable. Next to the chosen rule, clear the checkbox and repeat this for other rules in the ruleset as needed.

  5. To confirm, select Save.

If you disable the entire ruleset and then re-enable the ruleset, any previously disabled rules will automatically be re-enabled.