Web Application Firewall

Problem

Your App is exposed to the World Wide Web to give your users access. Unfortunately not every request is made by friendly humans. In fact there are bots, crawlers and attackers that scan your site for vulnerabilities. Even if they are not successful those requests are harmful because they eat resources which are meant for your users.

Solution

Instead of a full-fledged Web Application Firewall we block the most common automated request patterns.

Basic WAF rules

By default "Basic WAF rules" are enabled; you can disable them in the Dashboard.

Blocked files

  • common dotfiles
  • autodiscover.xml
  • wallet.dat
  • wlwmanifest.xml
  • xmlrpc.php

Blocked file extensions

  • .asp
  • .aspx
  • .cgi
  • .sql
  • .swf

Write your own rules using .htaccess

Intentionally we don't block every possible attack we've seen in the past. There are rules which may be specific to your use case but which are not necessarily required for everyone. Use an .htaccess file to write your own rules.

See our htaccess section for more.

Further reading

Craft CMS

Install guides

Code access

Deployment

Git

SSH

SFTP

Troubleshooting

DNS

MySQL

TLS (SSL)

htaccess

Development

Teamwork

Platform

The Dashboard

Stacks

Tips & tricks

Quirks

Support

FAQ

Need individual help?
Learn about Company plans ›
Looking for an old article?
See the full list of articles ›
Found an error?
Contribute on GitHub ›