Protect your websites, applications, APIs, and more from common vulnerabilities and advanced, emerging threats, including advanced application layer DDoS protection, OWASP top threats, anti-scraping, brute force, and spam protection.
First Month Free
Sign Up Now
No credit card required.
Plug and play
You don't have to be a WAF policy expert. Our WAF has full protection on by default, and is self-learning and self-evolving. Information about new threats is instantly shared across all WAF protected sites on our network.
Don't block real users. While other WAFs block entire IP ranges, our WAF uses fingerprinting technology to detect a specific device behind an IP address and provide precise protection with a very low false positive rate (the biggest problem of most WAFs).
Made to customize
Make it your own. While our WAF is ready to go, it also is made to customize with custom WAF rules, rate limits, IP and bot white-/blacklisting, and control over every WAF feature via API.
StackPath WAF makes setting up and managing your protection profile easy with a clean, clear WAF Policy Control panel. It’s full of security policies ready to be turned on, off, or further configured, and updated regularly with new policies created by our team of security analysts as they identify new and changing threats.
Best of all, your policy changes are pushed immediately, at your push of a button, to all StackPath edge PoPs around the world—no more waiting for someone else to read and respond to a support ticket or request.
Set policies controlling:
• OWASP top threats • CMS vulnerabilities • Malicious automated traffic • Brute force attacks • Zero day attacks (advanced behavioral analysis)
With WAF Rules you can create sophisticated rules to meet your specific needs, turn them on or off at will, and track their effect on your traffic. WAF Rules can be based on traffic data including URL requested, IP, country, and more, or data from within the StackPath platform such as traffic rates. Block or allow specific IPs, limit access to your login pages, and even rate limit access to a specific URL or your API.
Best of all, your WAF Rules are deployed and ready to activate immediately, at your push of a button, to all StackPath edge PoPs around the world—no more waiting for someone else to read and respond to a support ticket or request.
StackPath WAF automatically protects against Layer 7 DDoS attacks, the largest and most common types of attacks. The WAF measures and analyzes all traffic coming through it; if a domain threshold, burst threshold, or sub-second burst threshold (all of which can be customized) is exceeded the WAF suspects an attack and challenges traffic to verify it is coming from a human.
• Predefined thresholds can be configured per domain • Known search engines will be allowed during a DDoS attack
WAF TRAFFIC MONITORING & ANALYTICS
See right through us.
A real-time dashboard and event management screens give you instant access to live information about your traffic reaching your WAF, letting you view and analyze:
• Real time traffic • Full security events details • DDoS L7 statistics • Top threats & actions • Most-active rules
Free Private SSL Certificate
Let's give you some privacy.
While other edge services only provide you a shared SSL certificate, a free private StackPath EdgeSSL™ certificate is available for every StackPath WAF site you create. Easy to request and setup, your EdgeSSL certificate is served from our edge nodes, providing faster performance and higher availability by taking that workload off of your origin.
• Full 256-bit encryption • 2048-bit signatures • Automatic renewal • Provided in partnership with Sectigo (formerly Comodo CA)
01Two-Tier Distributed Intelligence Architecture
02Automated Traffic Detection & Protection
03IP Reputation Filtering
Two-Tier Distributed Intelligence Architecture
Most WAF users don’t think about where their WAF protection is really happening. With our unique architecture, global reach, and massive scale, you don’t need to.
StackPath WAF centralizes security intelligence while decentralizing threat detection and mitigation.
Our WAF Central Intelligence System analyzes large volumes of traffic to profile behavior, detect inconsistencies, and determine reputation, leveraging advanced intelligence algorithms and expert security analysts. Every attack makes our WAF smarter and even more secure from emerging threats.
That intelligence then goes into the WAF policies deployed to our WAF Enforcement Nodes in our edge PoPs around the world, implemented and activated in real time.
Higher performance/lower latency Your WAF policies are enforced at the edge PoP that’s closest to the incoming traffic, providing faster threat identification and resolution.
Worldwide and platform-wide threat intelligence Protections against threats identified anywhere in the world and attacking any StackPath customer are applied for all customers in all regions.
Real-time updates New policies are developed, deployed to every PoP, and activated in real-time, as threats are discovered, mitigating zero-day risks.
Automated Traffic Detection & Protection
Bots and other automation are used in a wide-range of attacks, including:
Brute force attempts
Web form spamming (including comments boards)
Automated browser plugins
Invalid user agents
While every WAF analyzes traffic to identify and block unauthorized bots and automation, StackPath WAF uses state-of-the-art detection technologies, including device fingerprinting, to protect against automated traffic with an unparalleled level of precision and control. This denies hackers the ability to map sites, plan their attacks, and employ automation. And it delivers strong defense that doesn’t impact legitimate users.
Device fingerprinting StackPath WAF uses a proprietary technique to profile and then block specific devices that have committed suspicious activities, rather than blocking the entire IP range they have used. That way we don’t block legitimate users that share IP addresses with automated traffic, and blocked bots can’t just change their IP addresses and continue their attacks.
Simple action and configuration Plain and simple, if we know traffic is good we'll allow it; if we know it's bad, we'll block it. Automated traffic protection details can be customized Policy Manager—such as blocking or allowing specific bots—and with WAF EdgeRules you can further customize your traffic profile.
IP Reputation Filtering
Some areas of the Internet are notorious for generating and distributing abusive traffic. Our WAF Central Intelligence System constantly collects, analyzes, and blacklists IP addresses known for or suspected of being hacker-operated botnets, zombie servers in hosting facilities that have been infected with malware, and anonymous proxies used by hackers, spammers, and scrapers.
That intelligence then goes into the WAF policies deployed to our WAF Enforcement Nodes in our edge PoPs around the world, implemented and activated in real time. Traffic with bad IP reputations is challenged to prove it is legitimate and blocked if it fails the challenge. And you can create custom rules to block, challenge, or allow any specific IPs or IP ranges you choose.
Block traffic from botnets and anonymous proxies
Block traffic from hosting facilities and zombie servers
Challenge traffic from IP addresses convicted of bot traffic