WAF rule set update for 2018-08-01 (legacy)
As of July 13, 2020, Fastly's original WAF offering became a legacy product. It will continue to be supported for all existing users. As an alternative, Fastly Next-Gen WAF (powered by Signal Sciences) offers proactive monitoring of and protection against suspicious and anomalous web traffic directed at your applications and origin servers. It can be controlled via the web interface dashboard or application programming interface (API). Contact firstname.lastname@example.org or your Fastly account team to evaluate or move to the Fastly Next-Gen WAF option.
The following information describes the updates and changes to the rule set.
Type of Change
- Introduced new Fastly internal rule 4134010, which mitigates common XXE attacks
- Introduced new Fastly internal rule 4112019, which mitigates CtrlFunc Botnet Attack
- Introduced new Fastly internal rule 4113001, which mitigates suspicious X-Forwarded-Host headers
- Introduced new Fastly internal rule 4113002, which mitigates X-Forwarded-Host and Host headers that do not match
- Introduced new Fastly internal rule 4120010, which detects illegal characters found in the client X-Forwarded-Host header
- Introduced new Fastly internal rule 4120011, which detects illegal characters found in the client X-Forwarded-For header
- Updated OWASP rule 930130 to include additional restricted files
Affected Rule Sets
- Fastly Rules