Web Application Firewall (WAF)

      Last updated July 14, 2020

    The Fastly WAF is a Web Application Firewall (WAF) security product that detects malicious request traffic sent over HTTP and HTTPS. Once properly configured and enabled for a service, the Fastly WAF can help protect against application-layer (layer 7) attacks such as SQL injection, cross-site scripting, and HTTP protocol violations.

    Enabling Fastly WAF doesn't require modifications to your web application or origin servers. Contact our sales team to get started. Once you purchase the Fastly WAF, our customer support team will enable it with a default WAF policy for any service you've provided a service ID for. They will then work closely with you on additional configuration refinements. Once configured, you can then begin monitoring logs to determine which requests to your origin are legitimate and which you should consider blocking.


    All WAF products that exist today, including the Fastly WAF, have several limitations:

    Security products note

    No security product, such as a WAF or DDoS mitigation product, including those security services offered by Fastly, will detect or prevent all possible attacks or threats. Subscribers should maintain appropriate security controls on all web applications and origins, and the use of Fastly's security products do not relieve subscribers of this obligation. Subscribers should test and validate the effectiveness of Fastly's security services to the extent possible prior to deploying these services in production, and continuously monitor their performance and adjust these services as appropriate to address changes in the Subscriber's web applications, origin services, and configurations of the other aspects of the Subscriber's Fastly services.

    Back to Top