WAF features
Last updated on
This document details the core features and configurations available within the STACKIT Web Application Firewall (WAF).
Feature overview & availability
Section titled “Feature overview & availability”The following table outlines which STACKIT WAF features are currently available and which are still being developed:
| Feature | API | SDK | Terraform/OpenTofu | Portal |
|---|---|---|---|---|
| Operating modes | Available | Available | WIP | Available |
| Tiered offerings | Available | Available | WIP | WIP |
| Paranoia levels | Available | Available | WIP | WIP |
| Traffic allow-listing (whitelisting) | Available | Available | WIP | WIP |
| Hierarchical rule management | Available | Available | WIP | WIP |
| Managed rule sets | Available | Available | WIP | Available |
| Custom rules | WIP | WIP | WIP | WIP |
Base config
Section titled “Base config”To use a STACKIT WAF it is necessary to have a STACKIT Content Delivery Network (CDN) in place as a base. It is tightly bundled with a CDN as it also works on the edge. Therefore, it is highly recommended to make use of STACKIT CDN features.
Before you can configure WAF properties, you must enable the WAF by setting the mode to ENABLED or LOG_ONLY.
If the WAF is not enabled, most properties are not populated.
Operating mode
Section titled “Operating mode”The operating mode determines how the WAF handles incoming traffic.
| Mode | Description |
|---|---|
ENABLED | The WAF actively inspects and blocks malicious requests. |
LOG_ONLY | The WAF inspects requests and logs matches, but never blocks traffic. |
DISABLED | The WAF is completely off. No inspection occurs. |
Tier types
Section titled “Tier types”You can enable the Web Application Firewall (WAF) as an additional service within your CDN distribution. For detailed pricing information, see Billing and costs.
- BASIC: Provides standard WAF features and basic rule sets.
- PREMIUM: Unlocks additional premium-only rules and the ability to create custom rules (custom rules are planned for future release).
Paranoia level
Section titled “Paranoia level”The paranoia level defines how aggressively the WAF actions requests. Higher levels are more effective at catching attacks but increase the chance of blocking legitimate traffic (false positives).
Available levels range from least strict to most strict:
L1(Lowest chance of false positives)L2L3L4(Highest chance of false positives)
Whitelists
Section titled “Whitelists”Whitelists restrict which requests the distribution accepts. The WAF blocks non-whitelisted requests before they reach the origin.
- Allowed HTTP methods: Restricts accepted HTTP methods (e.g.,
GET,POST,PUT). - Allowed HTTP versions: Restricts the accepted HTTP protocol versions.
- Allowed request content types: Restricts the accepted
Content-Typeheaders in request bodies (e.g.,application/json,multipart/form-data). Formats must betype/subtypewithout spaces.
Rule management
Section titled “Rule management”You control rule behavior using nine properties divided into three specificity groups: collections, rule groups, and rules.
Specificity hierarchy
Section titled “Specificity hierarchy”The rule levels, from broadest to most specific, are:
- Collections: Broad categories of rules. Currently, the available collections are
@builtin/crs/response(response rules) and@builtin/crs/request(request rules). - Rule groups: Sub-categories within collections. Call the
ListWafCollectionsoperation to view available rule groups. - Rules: Individual, specific rules.
Precedence and overrides
Section titled “Precedence and overrides”The precedence of these levels dictates how overlapping configurations are resolved. The order of precedence is (from highest to lowest):
- Rule
- Rule group
- Collection
This means that a more specific setting always overrides a broader one. For example, disabling a collection but activating a specific rule within it will deactivate every rule in that collection except for the explicitly activated one.
Rule selectors
Section titled “Rule selectors”Use the following properties to enable, disable, or log rules at each hierarchy level:
| Level | Enable | Disable | Log-Only |
|---|---|---|---|
| Collections | enabledRuleCollectionIds | disabledRuleCollectionIds | logOnlyRuleCollectionIds |
| Rule groups | enabledRuleGroupIds | disabledRuleGroupIds | logOnlyRuleGroupIds |
| Rules | enabledRuleIds | disabledRuleIds | logOnlyRuleIds |
The following log fields are added to the CDN Logs only when an enabled or logged rule is triggered:
| Field | Description |
|---|---|
| WAF action | The decision made by the Web Application Firewall regarding the request. Possible values are: Logged: The request is monitored. Blocked: The request is denied. Allowed: The request is permitted. |
| Timestamp | The exact date and time when the request was made. |
| Rule | The specific WAF rule that triggered the event. For more information, see Rule collections. |
| Message | A detailed message describing the WAF event. |
| URL | The URL of the requested cached resource. |
| Method | The HTTP method used for the request. |
| Country | The country where the request originated. |
| ASN | The Autonomous System Number (ASN) of the network where the request originated. |