Web Application Firewall

StackPath WAF protects your websites, applications, APIs, and more from the Internet’s worst vulnerabilities, threats, and attacks.

How It Works

StackPath WAF provides full-time protection for your websites and applications by analyzing all traffic and only allowing legitimate and authorized access. Simply:

1. Point 2. Review 3. Control 4. Customize
Point your website, application, or API to StackPath Review the standard WAF policies that are active by default Deactivate or customize any standardized policies as desired Create customized WAF rules and IP whitelists and blacklists if necessary

Intelligent Protection

StackPath WAF is designed to require zero-touch configuration, and to continue getting smarter as it is used. Traffic is constantly analyzed to profile behavior, detect inconsistencies, and determine reputation, leveraging advanced intelligence algorithms and expert security analysts. Every attack makes our WAF smarter and even more secure from emerging threats.

Layer 7 DDoS Attacks

All incoming traffic is constantly measured and if a threshold is exceeded an attack is suspected and all traffic is challenged to verify it is coming from a human.

Cross-site Scripting

Block attackers from injecting client-side scripts into web pages to bypass typical access controls and dupe end users.

Automated Traffic (Bots)

State-of-the-art detection technologies, including device fingerprinting, protects against automated traffic with an unparalleled level of precision and control.

SQL Injection

Protect against malicious SQL statements being entered into input fields and executed by an underlying SQL database of a vulnerable website or application.

OWASP Top 10 Threats

Policies protecting against the top ten security threats identified by the Open Web Application Security Project active by default.


Your WAF. Your rules.

StackPath WAF comes with an extensive set of smart policies, but you can create sophisticated rules to meet your specific needs, based on traffic data including URL requested, IP, country, and more, or data from within the StackPath platform such as traffic rates.

Easily Create New Rules

An easy-to-use rules editor makes it simple to select and define rule variables and the actions the rule should put into effect.

Deploy Instantly Worldwide

Custom rules are deployed and activated globally at your push of a button. No more waiting for someone else respond to a ticket or request.


Layer 7 DDoS Protection

StackPath WAF automatically protects against Layer 7 DDoS attacks, the largest and most common types of attacks. The WAF measures and analyzes all traffic coming through it; if a domain threshold, burst threshold, or sub-second burst threshold (all of which can be customized) is exceeded the WAF suspects an attack and challenges traffic to verify it is coming from a human.

Customize Thresholds

Predefined thresholds can be configured per domain, allowing protection to be customized to the domain’s acceptable traffic profile.

White List Traffic Sources

Known legitimate traffic sources, like search engines, are allowed through even during a DDoS attack.


Real-time Monitoring & Analytics

StackPath provides real-time insights into your website traffic and security events.

Real-time Traffic

Get real-time insights into your web application security events.


StackPath provides information about the country and organization your visitors are coming from.

Analyze Security Events

You don’t need to be a security expert to analyze your web application security events, full details about each event are available within the WAF event management.

More Statistics

Information about the top threat actions, origins and the most active rules provide an extra layer of info that will help you get more insights about the malicious traffic that was blocked.


Protection All Around the World

StackPath WAF runs in all of our edge locations around the world, providing your websites and applications global security in one single service.

All PoPs Included

Every edge location of our advanced global network is included with every WAF or Edge Delivery subscription, with no additional charges for using the whole map or any specific region.

Global Threat Intelligence

Any security vulnerability identified by our WAF anywhere in the world  goes into the WAF policies active in all edge locations, implemented and activated in real time.

Toronto Canada Point of Presence
New York United States Point of Presence
Ashburn Virginia Point of Presence
Chicago United States Point of Presence
Atlanta United States Point of Presence
Miami United States Point of Presence
Sao Paulo Brazil Point of Presence
Rio de Janeiro Brazil Point of Presence
Madrid Spain Point of Presence
Milan Italy Point of Presence
Frankfurt Germany Point of Presence
Brussels Belgium Point of Presence
Paris France Point of Presence
Amsterdam The Netherlands Point of Presence
London United Kingdom Point of Presence
Stockholm Sweden Point of Presence
Warsaw Poland Point of Presence
Tokyo Japan Point of Presence
Seoul South Korea Point of Presence
Hong Kong China Point of Presence
Manila Philippines Point of Presence
Singapore Singapore Point of Presence
Sydney Australia Point of Presence
Melbourne Australia Point of Presence
Dallas United States Point of Presence
Denver United States Point of Presence
Phoenix United States Point of Presence
Los Angeles United States Point of Presence
San Francisco United States Point of Presence
San Jose United States Point of Presence
Seattle United States Point of Presence
Sterling Virginia Point of Presence

Need a customized high-volume WAF plan?

Contact us

Get started today

Get CDN, WAF, DNS, and Monitoring all in one package.

Edge Delivery 20

Edge Delivery 20

For professional websites and blogs with standard content and average traffic levels.

  • CDN – 1TB/mo Bandwidth
  • WAF – 5M/mo Requests & 5 Rules
  • DNS – 2M/mo DNS Requests
  • Monitoring – 1 Service
Edge Delivery 200

Edge Delivery 200

For professional websites and blogs with standard content and average traffic levels.

  • CDN – 10TB/mo Bandwidth
  • WAF – 10M/mo Requests & 10 Rules
  • DNS – 5M/mo DNS Requests
  • Monitoring – 5 Services
Edge Delivery 2000

Edge Delivery 2000

For professional websites and blogs with standard content and average traffic levels.

  • CDN – 100TB/mo Bandwidth
  • WAF – 50M/mo Requests & 20 Rules
  • DNS – 10M/mo DNS Requests
  • Monitoring – 10 Services


For professional websites and blogs with standard content and average traffic levels.

  • 10M Requests
  • 5 Custom Rules
  • Free Private SSL Certificate
  • Built-in OWASP & CMS Rules

Easy to Manage

StackPath WAF is designed to allow you to manage and control it on your terms.
Learn more »

Simple Setup

Simple Setup

Our customer portal’s streamlined workflows make setup and management simple. So you can get your WAF up and running fast, and don’t get lost in screens of settings and switches.

Advanced Controls

Advanced Controls

Our API and customer portal gives technical experts access to extremely granular control, from creating sophisticated WAF rules, customizing IP block and allow lists, and more.