Web Application Firewall

Protect your websites, applications, APIs, and more from common vulnerabilities and advanced, emerging threats, including advanced application layer DDoS protection, OWASP top threats, anti-scraping, brute force, and spam protection.

First Month Free

Sign Up Now

No credit card required.

By clicking "Sign Up" you agree to the StackPath MSA and AUP


Plug and play

You don't have to be a WAF policy expert. Our WAF has full protection on by default, and is self-learning and self-evolving. Information about new threats is instantly shared across all WAF protected sites on our network.


Precise protection

Don't block real users. While other WAFs block entire IP ranges, our WAF uses fingerprinting technology to detect a specific device behind an IP address and provide precise protection with a very low false positive rate (the biggest problem of most WAFs).


Made to customize

Make it your own. While our WAF is ready to go, it also is made to customize with custom WAF rules, rate limits, IP and bot white-/blacklisting, and control over every WAF feature via API.

Cost effective


• 10M Requests

• 5 Custom Rules

• Unlimited Sites

• Free Private SSL Certificate

• Built-in OWASP & CMS Rules

Sign up now

WAF Policy Control

Full security. Simple controls.

StackPath WAF makes setting up and managing your protection profile easy with a clean, clear WAF Policy Control panel. It’s full of security policies ready to be turned on, off, or further configured, and updated regularly with new policies created by our team of security analysts as they identify new and changing threats.

Best of all, your policy changes are pushed immediately, at your push of a button, to all StackPath edge PoPs around the world—no more waiting for someone else to read and respond to a support ticket or request.

Set policies controlling:

• OWASP top threats
• CMS vulnerabilities
• Malicious automated traffic
• Brute force attacks
• Zero day attacks (advanced behavioral analysis)

Learn more

WAF Rules

Your WAF. Your rules.

With WAF Rules you can create sophisticated rules to meet your specific needs, turn them on or off at will, and track their effect on your traffic. WAF Rules can be based on traffic data including URL requested, IP, country, and more, or data from within the StackPath platform such as traffic rates. Block or allow specific IPs, limit access to your login pages, and even rate limit access to a specific URL or your API.

Best of all, your WAF Rules are deployed and ready to activate immediately, at your push of a button, to all StackPath edge PoPs around the world—no more waiting for someone else to read and respond to a support ticket or request.

Learn more


Layer on the security.

StackPath WAF automatically protects against Layer 7 DDoS attacks, the largest and most common types of attacks. The WAF measures and analyzes all traffic coming through it; if a domain threshold, burst threshold, or sub-second burst threshold (all of which can be customized) is exceeded the WAF suspects an attack and challenges traffic to verify it is coming from a human.

• Predefined thresholds can be configured per domain
Known search engines will be allowed during a DDoS attack


See right through us.

A real-time dashboard and event management screens give you instant access to live information about your traffic reaching your WAF, letting you view and analyze:

Real time traffic
Full security events details
DDoS L7 statistics
Top threats & actions
Most-active rules

Free Private SSL Certificate

Let's give you some privacy.

While other edge services only provide you a shared SSL certificate, a free private StackPath EdgeSSL™ certificate is available for every StackPath WAF site you create. Easy to request and setup, your EdgeSSL certificate is served from our edge nodes, providing faster performance and higher availability by taking that workload off of your origin.

• Full 256-bit encryption
• 2048-bit signatures
• Automatic renewal
• Provided in partnership with Sectigo (formerly Comodo CA)

01 Two-Tier Distributed Intelligence Architecture
02 Automated Traffic Detection & Protection
03 IP Reputation Filtering

Two-Tier Distributed Intelligence Architecture

Most WAF users don’t think about where their WAF protection is really happening. With our unique architecture, global reach, and massive scale, you don’t need to.

StackPath WAF centralizes security intelligence while decentralizing threat detection and mitigation.

Our WAF Central Intelligence System analyzes large volumes of traffic to profile behavior, detect inconsistencies, and determine reputation, leveraging advanced intelligence algorithms and expert security analysts. Every attack makes our WAF smarter and even more secure from emerging threats.

That intelligence then goes into the WAF policies deployed to our WAF Enforcement Nodes in our edge PoPs around the world, implemented and activated in real time.

  • Higher performance/lower latency
    Your WAF policies are enforced at the edge PoP that’s closest to the incoming traffic, providing faster threat identification and resolution.
  • Worldwide and platform-wide threat intelligence
    Protections against threats identified anywhere in the world and attacking any StackPath customer are applied for all customers in all regions.
  • Real-time updates
    New policies are developed, deployed to every PoP, and activated in real-time, as threats are discovered, mitigating zero-day risks.

Automated Traffic Detection & Protection

Bots and other automation are used in a wide-range of attacks, including:

  • Brute force attempts
  • Screen scraping
  • Vulnerability scanning
  • Web form spamming (including comments boards)
  • Automated browser plugins
  • Invalid user agents

While every WAF analyzes traffic to identify and block unauthorized bots and automation, StackPath WAF uses state-of-the-art detection technologies, including device fingerprinting, to protect against automated traffic with an unparalleled level of precision and control. This denies hackers the ability to map sites, plan their attacks, and employ automation. And it delivers strong defense that doesn’t impact legitimate users.

  • Device fingerprinting
    StackPath WAF uses a proprietary technique to profile and then block specific devices that have committed suspicious activities, rather than blocking the entire IP range they have used. That way we don’t block legitimate users that share IP addresses with automated traffic, and blocked bots can’t just change their IP addresses and continue their attacks.
  • Simple action and configuration
    Plain and simple, if we know traffic is good we'll allow it; if we know it's bad, we'll block it. Automated traffic protection details can be customized Policy Manager—such as blocking or allowing specific bots—and with WAF EdgeRules you can further customize your traffic profile.

IP Reputation Filtering

Some areas of the Internet are notorious for generating and distributing abusive traffic. Our WAF Central Intelligence System constantly collects, analyzes, and blacklists IP addresses known for or suspected of being hacker-operated botnets, zombie servers in hosting facilities that have been infected with malware, and anonymous proxies used by hackers, spammers, and scrapers.

That intelligence then goes into the WAF policies deployed to our WAF Enforcement Nodes in our edge PoPs around the world, implemented and activated in real time. Traffic with bad IP reputations is challenged to prove it is legitimate and blocked if it fails the challenge. And you can create custom rules to block, challenge, or allow any specific IPs or IP ranges you choose.

  • Block traffic from botnets and anonymous proxies
  • Block traffic from hosting facilities and zombie servers
  • Challenge traffic from IP addresses convicted of bot traffic
  • Challenge traffic from known VPN providers