Web Application Firewall

The WAF automatically blocks common web attacks — SQL injection, XSS, remote code execution, scanners, and more. Enable it with one toggle, then fine-tune with custom rules.

Dashboard Setup & Configuration

You can configure the Web Application Firewall (WAF) directly inside the EdgeWrap Dashboard:

  1. Navigate to your project in the dashboard at https://app.edgewrap.pro.
  2. Go to the Security page and select the WAF tab.
  3. Toggle the WAF switch to Enabled.
  4. Adjust the Sensitivity Score (0-100) and toggle specific OWASP rulesets (SQLi, XSS, RCE, LFI, Scanners) as needed.
  5. Add specific IPs, countries, or User-Agents to blocklists or bypass-lists under settings.

API Configuration

Alternatively, you can configure and toggle WAF rules programmatically by sending requests to the control plane:

Enable WAF on your project
curl -X PATCH https://server.edgewrap.pro/v1/projects/prj_01jxyz \
  -H "Authorization: Bearer <your_session_token>" \
  -H "Content-Type: application/json" \
  -d '{ "wafEnabled": true }'
200Success
{
  "success": true,
  "data": {
    "id": "prj_01jxyz",
    "wafEnabled": true
  }
}
Note: Once enabled, requests matching OWASP patterns are blocked with a 403 Forbidden. Your origin never sees these requests.
ParamTypeDescription
sensitivityScoreinteger (0–100)Higher = more aggressive detection. At 100, even suspicious-looking legitimate requests may be blocked.(default: 70)
owaspSqlEnabledbooleanBlock SQL injection attacks(default: true)
owaspXssEnabledbooleanBlock cross-site scripting (XSS) attacks(default: true)
owaspRceEnabledbooleanBlock remote code execution attempts(default: true)
owaspLfiEnabledbooleanBlock local file inclusion attempts(default: true)
owaspScannerEnabledbooleanBlock automated vulnerability scanners(default: true)
blockedIpsstring[]List of IP addresses to always block
allowedIpsstring[]List of IPs to always allow (bypass WAF checks entirely)
blockedCountriesstring[] (ISO-3166-1 alpha-2)Block all traffic from these countries (e.g. ['CN', 'RU'])
blockedUserAgentsstring[]User-Agent substrings to block (e.g. ['sqlmap', 'nikto'])
aiAnomalyEnabledbooleanUse AI to detect unusual request patterns not covered by OWASP rules [Pro+](default: false)
Update WAF configuration
curl -X PATCH https://server.edgewrap.pro/v1/projects/prj_01jxyz/waf/config \
  -H "Authorization: Bearer <your_session_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "sensitivityScore": 75,
    "owaspSqlEnabled": true,
    "owaspXssEnabled": true,
    "owaspRceEnabled": true,
    "owaspLfiEnabled": true,
    "owaspScannerEnabled": true,
    "blockedCountries": ["KP", "CU"],
    "blockedIps": ["1.2.3.4"],
    "allowedIps": ["203.0.113.10"]
  }'
200Success
{
  "success": true,
  "data": {
    "projectId": "prj_01jxyz",
    "sensitivityScore": 75,
    "owaspSqlEnabled": true,
    "owaspXssEnabled": true,
    "blockedCountries": [
      "KP",
      "CU"
    ],
    "blockedIps": [
      "1.2.3.4"
    ]
  }
}

Test Your WAF

Use the WAF sandbox in the dashboard or via API to check how a request would be evaluated — without it reaching your origin. Perfect for verifying rules before going live.

Warning: Billing Notice: Sandbox evaluations trigger real request pipelines (including AI analysis if AI Anomaly is active). Each sandbox run counts as 1 request toward your project's billing and usage limits.
Test a request against your WAF
curl -X POST https://server.edgewrap.pro/v1/projects/prj_01jxyz/waf/sandbox-call \
  -H "Authorization: Bearer <your_session_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "path": "/api/users",
    "method": "GET",
    "queryString": "id=1 OR 1=1--"
  }'
200Success
{
  "success": true,
  "data": {
    "decision": {
      "action": "block",
      "reason": "SQL injection pattern detected in query string",
      "threatType": "sql_injection"
    },
    "request": {
      "method": "GET",
      "path": "/api/users",
      "queryString": "id=1 OR 1=1--"
    }
  }
}

WAF Decision Values

actionWhat Your Client Receives
allowRequest passes through to your origin normally
challengeClient receives a JavaScript challenge — bots fail, browsers pass automatically
block403 Forbidden — your origin is never contacted

Step 4 — View WAF Events

See every request that was blocked or challenged, with full metadata.

List WAF events (last 20 blocks)
curl "https://server.edgewrap.pro/v1/projects/prj_01jxyz/waf/events?limit=20" \
  -H "Authorization: Bearer <your_token>"
200Success
{
  "success": true,
  "data": [
    {
      "id": "evt_01jxyz",
      "timestamp": "2026-06-16T08:00:00.000Z",
      "ip": "1.2.3.4",
      "country": "CN",
      "path": "/api/login",
      "method": "POST",
      "action": "block",
      "threatType": "sql_injection",
      "userAgent": "sqlmap/1.7.9"
    }
  ],
  "meta": {
    "page": 1,
    "limit": 20,
    "total": 142
  }
}

Step 5 — Add Custom Edge Rules

Go beyond OWASP rules with custom logic. Block or allow requests based on path, method, headers, query params, and more.

ParamTypeDescription
namestringA label for this rule
priorityinteger (1–10000)Lower number runs first(default: 100)
conditionsCondition[]Match conditions — field, op, value (see below)
actionenumallow | block | challenge | rate_limit | redirect | add_header | cache_override | log
actionConfigobjectAction-specific options (e.g. redirect URL, header name/value, TTL)
isEnabledbooleanToggle rule on or off without deleting it(default: true)

Condition Fields

fieldAvailable opsExample value
pathequals, starts_with, ends_with, contains, matches/api/admin
methodequalsPOST
ipequals, in_cidr1.2.3.4
countryequals, inCN
headerequals, containsUser-Agent: curl/7
query_paramequals, containsdebug=true
bodycontainsUNION SELECT
Block all requests to /admin from outside your office IP
curl -X POST https://server.edgewrap.pro/v1/projects/prj_01jxyz/rules \
  -H "Authorization: Bearer <your_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Admin IP whitelist",
    "priority": 1,
    "conditions": [
      { "field": "path", "op": "starts_with", "value": "/admin" }
    ],
    "action": "block",
    "isEnabled": true
  }'
Tip: Combine multiple conditions in one rule for precise matching. All conditions in a rule must match (AND logic). To create OR logic, create multiple rules with the same priority.