Web Application and API Protection (WAAP)
Intelligent security for web applications, APIs, and microservices.
Overview
WAAP provides always-on protection at the network edge. It inspects incoming requests and applies dynamic rules to detect and mitigate attacks including OWASP Top 10 vulnerabilities, bot abuse, and Layer-7 DDoS.
Prerequisites
- Domain or endpoint to protect (e.g.,
app.example.com)
- DNS control for traffic routing (CNAME or load balancer)
- (Optional) SSL/TLS certificate for custom hostname
Step 1: Enable WAAP
- Go to Security > WAAP
- Click Create Protection Instance
- Enter domain to protect (e.g.,
app.example.com)
- Review and accept default policy or create custom
- Save and wait for Active status
Edge nodes apply rules globally within minutes.
Step 2: Assign Protection Policy
- Navigate to Policies under WAAP
- Choose pre-configured policy:
- Strict Web App
- API Only
- Bot Mitigation
- Duplicate and customize if needed (e.g.,
app-example-policy)
- Associate policy with protection instance
IP Lists
| List Type | Description |
|---|
| Allow-list | Known good IPs (e.g., office IPs) |
| Deny-list | Blocked IPs with optional expiry |
Bot and DDoS Protection
| Setting | Description |
|---|
| Bot Management | Detect and challenge automated attacks |
| Layer-7 DDoS | Configure rate thresholds and triggers |
| Browser Validation | JavaScript challenges for suspicious traffic |
API Protection
| Setting | Description |
|---|
| Rate Limiting | e.g., 500 requests/minute |
| Schema Validation | Validate ingress traffic |
| Path Exemptions | Exclude health check endpoints |
Step 4: Custom Rules
- Go to Rules in WAAP dashboard
- Click Create new rule
- Configure:
| Component | Description |
|---|
| Name | e.g., Allow-healthcheck |
| Match criteria | URL path, IP range, etc. |
| Action | Allow or Block |
- Save and order rules (exceptions before general blocks)
Step 5: Response Pages
- Define blocked/challenged user experience
- Configure custom branding
- Test by simulating blocked traffic
Step 6: Testing Checklist
| Test | Expected Result |
|---|
| Normal request | 200 OK, no challenge |
| High-volume from same IP | Rate limit or bot challenge |
| SQL injection payload | Blocked or challenged |
| API beyond rate limit | Throttled |
| Allow-listed IP | Passes without challenge |
Monitoring
- Review request volume, blocked requests, challenge rate
- Tune thresholds monthly based on traffic patterns
- Rotate certificates and secrets
- Clean up stale IP list entries
Troubleshooting
| Problem | Cause | Solution |
|---|
| Legitimate users blocked | Rule too broad | Refine match criteria or reorder |
| API delays | Challenges too aggressive | Lower sensitivity |
| Protection inactive | Config incomplete | Review configuration |
| High false positives | Policy too strict | Customize policy for domain |