WAF alternative that can work with CNAMES

One of my customers that had 2 websites configured in a single domain like
but now they… | Read the rest of https://www.webhostingtalk.com/showthread.php?t=1848464&goto=newpost

do you use any firewall or waf to protect your billing system and client sites ?


do you use any firewall or waf to protect your billing system and client sites ?… | Read the rest of https://www.webhostingtalk.com/showthread.php?t=1845838&goto=newpost

WAF Recommendations

Are there any affordable CDN/WAF alternatives to Sucuri’s WAF service?

I’m aware of Cloudflare, Comodo cWatch and others which are more c… | Read the rest of https://www.webhostingtalk.com/showthread.php?t=1845448&goto=newpost

waf – AWS WAFv2 Custom Rules

I have to implement AWS WAFv2 on my CloudFront applications, I have been looking into the AWS managed/free rulesets, I want to understand what kind of custom rulesets should I implement or are generally used in best practices (Eg. 8Kb ruleset and Blocking request methods like Options, Delete, Put)

waf – Can a firewall appliance block http requests?

Yes. A firewall appliance (or a firewall application) will be able to distinguish between HTTP and HTTPS requests and, in the case of HTTP requests, will be able to view all the data being transmitted (not just the domain and IP). It can then block or modify any data going through.

You can also do this with HTTPS requests if you have a firewall that supports TLS interception, but then you’ll need to install the firewall appliance’s root certificate into your browser for it to trust it.

reverse proxy – Putting WAF on a loadbalancer?

at the moment, our application servers are directly accessable on the internet, like the following picture shows.

one server who takes it all

With this in mind, it would be aful if a server crashes (hardware-failure) or stops doing it work somehow.

To prevent this, i would like to split my application server and put a load balancer in front of it, like the next picture shows. A separate server for the database shows up here, but this is not part of the question, but a note, that database will be extracted from the APS, too.

load balancer and more AP-servers

Whilst the WAF (modsecurity for apache) run on the application servers at the moment, would you put the WAF on the loadbalancer on the new configuration? I thought about using NGINX as a proxy/loadbalancer for it. Or should i leave it on the APS? I am also not sure if there is any influence if the TLS-termination is done by the APS’s or on the load-balancer.

Our concerns are most about security, availability and of course performance.

Thank you 🙂

attacks – Layer7 DDoS Protection vs WAF, which should I use?

I have Layer3 ddos protection, but I want to upgrade it to Layer7 ddos protection. But when i look about Layer7 Ddos attacks, I see that they are usually HTTP/HTTPS based attacks. I have two questions;

  1. What is other Layer7 DDos attacks, e.g FTP, DNS ?
  2. If I use WAF instead of Layer7 ddos protection, what will be risks in my system?
  3. Using WAF for ddos protection is a prefered way?

Bypass Waf in Boolean sql injection that blocked ()

While i do web application pen-testing, i have found Boolean sql injection vulnerability by confirm it via:

?id=22 AND 1=1 --+  

?id=22 AND 1=11 --+  

but when i try to extract database names , i figure out that the waf has been block my request when i put () in the request .

so is there any thing that i can do to bypass this WAF ?

Comodo cWatch or Sucuri WAF

Good Day Fellow Members,

I am considering increasing security on my website an want to know if anyone has experience with Comodo cWatch o… | Read the rest of https://www.webhostingtalk.com/showthread.php?t=1831769&goto=newpost

Is there a good place to find WAF rules tested?

I am searching evaluated WAF rules that check OWASP Top 10 and even more to have decent protection of a web infrastructure.