Web Application Firewall
The WAF automatically blocks common web attacks — SQL injection, XSS, remote code execution, scanners, and more. Enable it with one toggle, then fine-tune with custom rules.
Dashboard Setup & Configuration
You can configure the Web Application Firewall (WAF) directly inside the EdgeWrap Dashboard:
- Navigate to your project in the dashboard at
https://app.edgewrap.pro. - Go to the Security page and select the WAF tab.
- Toggle the WAF switch to Enabled.
- Adjust the Sensitivity Score (0-100) and toggle specific OWASP rulesets (SQLi, XSS, RCE, LFI, Scanners) as needed.
- Add specific IPs, countries, or User-Agents to blocklists or bypass-lists under settings.
API Configuration
Alternatively, you can configure and toggle WAF rules programmatically by sending requests to the control plane:
Enable WAF on your project
curl -X PATCH https://server.edgewrap.pro/v1/projects/prj_01jxyz \
-H "Authorization: Bearer <your_session_token>" \
-H "Content-Type: application/json" \
-d '{ "wafEnabled": true }'200Success
{
"success": true,
"data": {
"id": "prj_01jxyz",
"wafEnabled": true
}
}Note: Once enabled, requests matching OWASP patterns are blocked with a
403 Forbidden. Your origin never sees these requests.| Param | Type | Description |
|---|---|---|
| sensitivityScore | integer (0–100) | Higher = more aggressive detection. At 100, even suspicious-looking legitimate requests may be blocked.(default: 70) |
| owaspSqlEnabled | boolean | Block SQL injection attacks(default: true) |
| owaspXssEnabled | boolean | Block cross-site scripting (XSS) attacks(default: true) |
| owaspRceEnabled | boolean | Block remote code execution attempts(default: true) |
| owaspLfiEnabled | boolean | Block local file inclusion attempts(default: true) |
| owaspScannerEnabled | boolean | Block automated vulnerability scanners(default: true) |
| blockedIps | string[] | List of IP addresses to always block |
| allowedIps | string[] | List of IPs to always allow (bypass WAF checks entirely) |
| blockedCountries | string[] (ISO-3166-1 alpha-2) | Block all traffic from these countries (e.g. ['CN', 'RU']) |
| blockedUserAgents | string[] | User-Agent substrings to block (e.g. ['sqlmap', 'nikto']) |
| aiAnomalyEnabled | boolean | Use AI to detect unusual request patterns not covered by OWASP rules [Pro+](default: false) |
Update WAF configuration
curl -X PATCH https://server.edgewrap.pro/v1/projects/prj_01jxyz/waf/config \
-H "Authorization: Bearer <your_session_token>" \
-H "Content-Type: application/json" \
-d '{
"sensitivityScore": 75,
"owaspSqlEnabled": true,
"owaspXssEnabled": true,
"owaspRceEnabled": true,
"owaspLfiEnabled": true,
"owaspScannerEnabled": true,
"blockedCountries": ["KP", "CU"],
"blockedIps": ["1.2.3.4"],
"allowedIps": ["203.0.113.10"]
}'200Success
{
"success": true,
"data": {
"projectId": "prj_01jxyz",
"sensitivityScore": 75,
"owaspSqlEnabled": true,
"owaspXssEnabled": true,
"blockedCountries": [
"KP",
"CU"
],
"blockedIps": [
"1.2.3.4"
]
}
}Test Your WAF
Use the WAF sandbox in the dashboard or via API to check how a request would be evaluated — without it reaching your origin. Perfect for verifying rules before going live.
Warning: Billing Notice: Sandbox evaluations trigger real request pipelines (including AI analysis if AI Anomaly is active). Each sandbox run counts as 1 request toward your project's billing and usage limits.
Test a request against your WAF
curl -X POST https://server.edgewrap.pro/v1/projects/prj_01jxyz/waf/sandbox-call \
-H "Authorization: Bearer <your_session_token>" \
-H "Content-Type: application/json" \
-d '{
"path": "/api/users",
"method": "GET",
"queryString": "id=1 OR 1=1--"
}'200Success
{
"success": true,
"data": {
"decision": {
"action": "block",
"reason": "SQL injection pattern detected in query string",
"threatType": "sql_injection"
},
"request": {
"method": "GET",
"path": "/api/users",
"queryString": "id=1 OR 1=1--"
}
}
}WAF Decision Values
| action | What Your Client Receives |
|---|---|
| allow | Request passes through to your origin normally |
| challenge | Client receives a JavaScript challenge — bots fail, browsers pass automatically |
| block | 403 Forbidden — your origin is never contacted |
Step 4 — View WAF Events
See every request that was blocked or challenged, with full metadata.
List WAF events (last 20 blocks)
curl "https://server.edgewrap.pro/v1/projects/prj_01jxyz/waf/events?limit=20" \
-H "Authorization: Bearer <your_token>"200Success
{
"success": true,
"data": [
{
"id": "evt_01jxyz",
"timestamp": "2026-06-16T08:00:00.000Z",
"ip": "1.2.3.4",
"country": "CN",
"path": "/api/login",
"method": "POST",
"action": "block",
"threatType": "sql_injection",
"userAgent": "sqlmap/1.7.9"
}
],
"meta": {
"page": 1,
"limit": 20,
"total": 142
}
}Step 5 — Add Custom Edge Rules
Go beyond OWASP rules with custom logic. Block or allow requests based on path, method, headers, query params, and more.
| Param | Type | Description |
|---|---|---|
| name | string | A label for this rule |
| priority | integer (1–10000) | Lower number runs first(default: 100) |
| conditions | Condition[] | Match conditions — field, op, value (see below) |
| action | enum | allow | block | challenge | rate_limit | redirect | add_header | cache_override | log |
| actionConfig | object | Action-specific options (e.g. redirect URL, header name/value, TTL) |
| isEnabled | boolean | Toggle rule on or off without deleting it(default: true) |
Condition Fields
| field | Available ops | Example value |
|---|---|---|
| path | equals, starts_with, ends_with, contains, matches | /api/admin |
| method | equals | POST |
| ip | equals, in_cidr | 1.2.3.4 |
| country | equals, in | CN |
| header | equals, contains | User-Agent: curl/7 |
| query_param | equals, contains | debug=true |
| body | contains | UNION SELECT |
Block all requests to /admin from outside your office IP
curl -X POST https://server.edgewrap.pro/v1/projects/prj_01jxyz/rules \
-H "Authorization: Bearer <your_token>" \
-H "Content-Type: application/json" \
-d '{
"name": "Admin IP whitelist",
"priority": 1,
"conditions": [
{ "field": "path", "op": "starts_with", "value": "/admin" }
],
"action": "block",
"isEnabled": true
}'Tip: Combine multiple conditions in one rule for precise matching. All conditions in a rule must match (AND logic). To create OR logic, create multiple rules with the same priority.