SP// web application

Protect your edge.

Precise Threat Identification

Always Up-to-Date

Instant and Easy Setup

Customization and Control

The size, speed, and sophistication of online attacks grow every day. Protect your web applications and APIs with the level of security, simplicity or sophistication, and services that meet your specific needs. SP// WAF delivers enterprise-class protection with little-to-no configuration required and the opportunity to create and tailor your WAF to fit your unique needs.

Application protection

Protect applications including websites, online games, APIs and SaaS products, with little to no additional performance overhead or impact to legitimate traffic

Content protection

Control access to and protect the value of the content you sell or deliver, such as photography, video streams and files, audio streams and software packages

DDoS attack mitigation

Block and resolve application-layer DDoS attacks of any size, with unique and comprehensive identification technologies and techniques.

Virtual patching

Quickly and easily protect newly identified application vulnerabilities that have not yet been patched in your application source code.

Precise threat identification

Unique device-level fingerprinting, diverse DDoS attack profiling, and globally synchronized threat detection and mitigation reduces false-positives and catches sophisticated and emerging threats.

A simple illustration showing WAF working

A simple illustration showing StackPath WAF ease of use

Instant and easy setup

Built-in policies created by our expert security team mitigate the most common and dangerous threats, including OWASP Top 10, right out-of-the-box, requiring little-to-no configuration.

Always up to date

Allow our around-the-clock security experts update built-in policies in real-time to address emerging or increasing threats identified anywhere in the world, requiring no action on your part.

A simple illustration showing always-on StackPath protection

A simple illustration showing StackPath WAF benefits

Lower total costs

Altogether, our platform and products can help you reduce total bandwidth consumption, reduce downtime, and increase accessibility, leading to lower operational costs and optimizing your assets’ monetization.

Give your Gaming or Media workloads an edge.

Key features

Built-in Policies

Powerful WAF policies created by our expert team are automatically activated for each WAF site you create—with no action needed from you or additional cost required—addressing vulnerabilities related to OWASP Top 10 threats, CSRF attacks, automation and bot protection, and more.

Anti-Automation Suite / Bot Traffic Protection

Patented technology stops malicious activities—like inventory lockups, scraping and price stealing—from automated tools and bots, identifying and covering tactics and threats including common traffic anomalies, automated clients, domain-specific traffic anomalies, and headless browsers.

Layer-7 DDoS Attack Mitigation

Overlapping layers of threshold rules (domain, burst, sub-second) recognize application layer DDoS attacks and activate the protection of individual or clustered resources, while machine-learned models of normal traffic allow good traffic through even while DDoS attacks are being mitigated.

API Discovery

Automatically scan for, detect, and organize exposed APIs, both authorized and shadow, for your web applications.

Customized Rules Engine

An easy-to-use rules editor lets you create EdgeRules™ that enforce your own policies and automate protection behaviors, including rate limiting, block and allow list IP addresses and ranges, and perform CAPTCHA.

Tag-related Rules

Our easy-to-use Custom Rules Editor lets you create rules triggered by tags applied to requests by the SP// WAF. SP// WAF Professional and SP// WAF Enterprise users can even create rules that generate and apply custom tags to requests, and then create rules based on those custom tags, for an exceptional level of customization and control.

Data & Analytics

Built-in monitoring and reports provide real-time visibility of WAF activity, with all the details of any security event available.

Security Insights

Security Insights provide near real-time portal alerts informing users of potential security vulnerabilities and system configuration mismanagement.

IP Spotlight

See all the information we have gathered on any entered IP address, including a calculated Risk Assessment Score and an accounting of known attacks. This increased visibility will help you make a more data-driven decision regarding securing your web presence.

Two Tier Architecture

Our unique two-tiered architecture features a centralized WAF Intelligence Cluster that analyzes traffic data from all requests in all SP// WAF locations and applies that learning and other threat intelligence to determine whether to block or allow new traffic.

Device-level Fingerprinting

Patented device-level fingerprinting technology distinguishes individual devices—not just individual IP addresses—to take a better look at suspicious traffic and reduce false or missed positives from situations, like bad devices using different IPs or good devices using “bad” IPs.

SSL Certificate Management

EdgeSSL™, our SSL certificate management solution, lets you move the burden of SSL from your origins and reduce the performance costs of SSL encryption by serving your certificates from the edge. Use your own private SSL certificate uploaded to the StackPath Control Portal, or a free private SSL certificate provided by StackPath.

Custom Pages

Customize the page that SP// WAF serves to suspicious or blocked traffic with your own logo, browser title, page title, and page message, providing your users with a seamless, on-brand experience. Custom pages are easy to create and edit within our control portal on your own or with help from our team.

Learn more about the SP// platform

Powering all of StackPath is a high-performance, fully automated, and completely secure global platform that seamlessly integrates best-in-class orchestration, hardware infrastructure, and network architecture.

Edge locations

73 edge locations strategically deployed where customers’ end-users are most densely concentrated. Unlike legacy providers’, each location is a complete deployment of our computing, networking, and orchestration stack.


Our orchestration engine provisions and manages all aspects of SP// edge IaaS, edge applications, and accounts, and puts the whole StackPath platform at customers’ fingertips via an easy to use customer portal and comprehensive APIs.

Edge network

Our multi-dimensional network provides high-speed throughput (with up to 95% of all traffic handed directly to last-mile networks) and exceptional total egress capacity (100+Tbps). Also, it keeps data off the public internet as long as possible.


For enterprise pricing please contact sales.

$60 / Month
$1,700 / Month
$4,000 / Month
WAF Requests1M / Month40M / Month100M / Month
WAF Sites12050
WAF Custom Rules380250
SSL Certificate1 / WAF Site1 / WAF Site1 / WAF Site
OWASP CoverageIncludedIncludedIncluded
Bot ProtectionIncludedIncludedIncluded
L7 DDoS Attack MitigationIncludedIncludedIncluded
API SecurityIncludedIncludedIncluded
API DiscoveryIncludedIncluded
Portal & AnalyticsIncludedIncludedIncluded
All WAF Edge LocationsIncludedIncludedIncluded
Standard Support*IncludedIncludedIncluded
Custom Rules ExtensionIncludedIncluded
Advanced RulesIncluded
WAF Professional Services (one time)2 Hours4 Hours
Customized Sanction Screens1 Set2 Sets
IP ACLs (Allow/Block)AvailableAvailableAvailable
Log StreamingAdditional FeeAdditional FeeAdditional Fee
Additional 1M WAF requests$10 / Month$5 / Month$2 / Month
Additional WAF Site$15 / Month$5 / Month$1 / Month
Additional WAF Custom Rule$3 / Month$2 / Month$1 / Month
Additional Customized Sanction Screens$200 / Set / Month$175 / Set / Month$150 / Set / Month
Additional WAF Professional Services (4 Hours minimum)$375 / Hour$325 / Hour$300 / Hour
* See Support page for details and upgrade options.

Learn more about SP// WAF

API docs

Integrate SP// WAF directly into your own products and workflows.

Getting started

Check out easy guides for setting up your StackPath services.

Edge security

Browse content related to edge security, including blog and Edge Academy articles.