Configure eCDN WAF Settings

Protect your storefront by analyzing and interpreting your HTTP/s traffic. Web Application Firewall (WAF) stops application level attacks that attempt to exploit code-level vulnerabilities. Configure the security sensitivity level, and decide what action WAF takes when a suspicious web request attempts to access your storefront.

Prerequisite—You must add a hostname to the embedded Content Delivery Network (eCDN), creating a zone, before you can configure the WAF settings. See Creating a Zone.
  1. Select Administration > Embedded CDN Settings > Settings.
  2. Select a zone.
  3. On the WAF tab, select Enabled.
  4. From the dropdown list, select an action.
    • Simulate—Log the event without blocking or challenging the web request.
      Note: For first-time users, we recommend using this mode for at least a week to analyze your incoming traffic. Review the log files to then determine an appropriate action and sensitivity level. See WAF First Time Users.
    • Challenge—If the incoming web request is suspicious, the visitor must respond to CAPTCHA challenge before proceeding.
    • Block—Stop the request from reaching your server.
  5. From the dropdown list, select a sensitivity level.
    WAF becomes more suspicious of requests with a higher sensitivity level, likely blocking more requests. WAF becomes less suspicious of requests with a lower sensitivity level and lets more traffic through that may otherwise be too suspicious. We recommend using medium or high sensitivity based on your log analysis to determine if there are any false positives (real shoppers being detected as bad actors - lower the sensitivity) or false negatives (bad actors not being detected - raise the sensitivity).

    HTTP Requests

    • Low—60 and higher
    • Medium—40 and higher
    • High—25 and higher
    Ajax Requests
    • Low—120 and higher
    • Medium—80 and higher
    • High—65 and higher
  6. For one or more dates, select a Time (based on the UTC time zone), and click Request Log.

    When the log file is available for download, an email is sent to your Business Manager email account with a link. Download the log to analyze your traffic and adjust the sensitivity accordingly.

See Also