Is there need for WAF in static website front with REST API
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
I have two webistes
www.mysite.com. -->hosted on s3
, served via cloudfront static single page APPThen i have
api.mysite.com
, which the front end uses.
My company is using WAF solution
from thirdparty and current monolith applications are protected by it.
For the new site , i have put api.mysite.com
behind WAF but i am not sure if i need to put static site behind WAF as well or not?
This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way
amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall
add a comment |Â
up vote
3
down vote
favorite
I have two webistes
www.mysite.com. -->hosted on s3
, served via cloudfront static single page APPThen i have
api.mysite.com
, which the front end uses.
My company is using WAF solution
from thirdparty and current monolith applications are protected by it.
For the new site , i have put api.mysite.com
behind WAF but i am not sure if i need to put static site behind WAF as well or not?
This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way
amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
I have two webistes
www.mysite.com. -->hosted on s3
, served via cloudfront static single page APPThen i have
api.mysite.com
, which the front end uses.
My company is using WAF solution
from thirdparty and current monolith applications are protected by it.
For the new site , i have put api.mysite.com
behind WAF but i am not sure if i need to put static site behind WAF as well or not?
This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way
amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall
I have two webistes
www.mysite.com. -->hosted on s3
, served via cloudfront static single page APPThen i have
api.mysite.com
, which the front end uses.
My company is using WAF solution
from thirdparty and current monolith applications are protected by it.
For the new site , i have put api.mysite.com
behind WAF but i am not sure if i need to put static site behind WAF as well or not?
This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way
amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall
amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall
asked 2 hours ago
Master
333
333
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.
For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking
Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.
So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.
On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.
Hope that helps :)
suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
â Master
1 hour ago
@Master The page doesnâÂÂt call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesnâÂÂt mean it will make 100 API requests. Quite likely it wonâÂÂt. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
â MLu
1 hour ago
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.
For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking
Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.
So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.
On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.
Hope that helps :)
suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
â Master
1 hour ago
@Master The page doesnâÂÂt call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesnâÂÂt mean it will make 100 API requests. Quite likely it wonâÂÂt. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
â MLu
1 hour ago
add a comment |Â
up vote
2
down vote
While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.
For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking
Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.
So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.
On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.
Hope that helps :)
suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
â Master
1 hour ago
@Master The page doesnâÂÂt call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesnâÂÂt mean it will make 100 API requests. Quite likely it wonâÂÂt. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
â MLu
1 hour ago
add a comment |Â
up vote
2
down vote
up vote
2
down vote
While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.
For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking
Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.
So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.
On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.
Hope that helps :)
While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.
For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking
Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.
So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.
On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.
Hope that helps :)
answered 1 hour ago
MLu
3,9281632
3,9281632
suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
â Master
1 hour ago
@Master The page doesnâÂÂt call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesnâÂÂt mean it will make 100 API requests. Quite likely it wonâÂÂt. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
â MLu
1 hour ago
add a comment |Â
suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
â Master
1 hour ago
@Master The page doesnâÂÂt call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesnâÂÂt mean it will make 100 API requests. Quite likely it wonâÂÂt. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
â MLu
1 hour ago
suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
â Master
1 hour ago
suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
â Master
1 hour ago
@Master The page doesnâÂÂt call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesnâÂÂt mean it will make 100 API requests. Quite likely it wonâÂÂt. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
â MLu
1 hour ago
@Master The page doesnâÂÂt call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesnâÂÂt mean it will make 100 API requests. Quite likely it wonâÂÂt. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
â MLu
1 hour ago
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938605%2fis-there-need-for-waf-in-static-website-front-with-rest-api%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password