Web Application Firewall (WAF)

      Last updated July 14, 2020

    The Fastly WAF is a Web Application Firewall (WAF) security product that detects malicious request traffic sent over HTTP and HTTPS. Once properly configured and enabled for a service, the Fastly WAF can help protect against application-layer (layer 7) attacks such as SQL injection, cross-site scripting, and HTTP protocol violations.

    Enabling Fastly WAF doesn't require modifications to your web application or origin servers. Contact our sales team to get started. Once you purchase the Fastly WAF, our customer support team will enable it with a default WAF policy for any service you've provided a service ID for. They will then work closely with you on additional configuration refinements. Once configured, you can then begin monitoring logs to determine which requests to your origin are legitimate and which you should consider blocking.


    All WAF products that exist today, including the Fastly WAF, have several limitations:

    Security products note

    No security product, such as a WAF or DDoS mitigation product, including those security services offered by Fastly, will detect or prevent all possible attacks or threats. As a subscriber, you should maintain appropriate security controls on all web applications and origins. The use of Fastly's security products do not relieve you of this obligation. As a subscriber, you should test and validate the effectiveness of Fastly's security services to the extent possible prior to deploying these services in production, continuously monitor their performance, and adjust these services as appropriate to address changes in your web applications, origin services, and configurations of the other aspects of your Fastly services.

    Back to Top