Is there need for WAF in static website front with REST API

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
3
down vote

favorite












I have two webistes



  1. www.mysite.com. -->hosted on s3 , served via cloudfront static single page APP


  2. Then i have api.mysite.com , which the front end uses.


My company is using WAF solution from thirdparty and current monolith applications are protected by it.



For the new site , i have put api.mysite.com behind WAF but i am not sure if i need to put static site behind WAF as well or not?



This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way










share|improve this question

























    up vote
    3
    down vote

    favorite












    I have two webistes



    1. www.mysite.com. -->hosted on s3 , served via cloudfront static single page APP


    2. Then i have api.mysite.com , which the front end uses.


    My company is using WAF solution from thirdparty and current monolith applications are protected by it.



    For the new site , i have put api.mysite.com behind WAF but i am not sure if i need to put static site behind WAF as well or not?



    This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way










    share|improve this question























      up vote
      3
      down vote

      favorite









      up vote
      3
      down vote

      favorite











      I have two webistes



      1. www.mysite.com. -->hosted on s3 , served via cloudfront static single page APP


      2. Then i have api.mysite.com , which the front end uses.


      My company is using WAF solution from thirdparty and current monolith applications are protected by it.



      For the new site , i have put api.mysite.com behind WAF but i am not sure if i need to put static site behind WAF as well or not?



      This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way










      share|improve this question













      I have two webistes



      1. www.mysite.com. -->hosted on s3 , served via cloudfront static single page APP


      2. Then i have api.mysite.com , which the front end uses.


      My company is using WAF solution from thirdparty and current monolith applications are protected by it.



      For the new site , i have put api.mysite.com behind WAF but i am not sure if i need to put static site behind WAF as well or not?



      This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way







      amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 2 hours ago









      Master

      333




      333




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote













          While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.



          For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking



          Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.



          So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.



          On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.



          Hope that helps :)






          share|improve this answer




















          • suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
            – Master
            1 hour ago










          • @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
            – MLu
            1 hour ago










          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938605%2fis-there-need-for-waf-in-static-website-front-with-rest-api%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote













          While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.



          For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking



          Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.



          So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.



          On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.



          Hope that helps :)






          share|improve this answer




















          • suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
            – Master
            1 hour ago










          • @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
            – MLu
            1 hour ago














          up vote
          2
          down vote













          While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.



          For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking



          Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.



          So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.



          On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.



          Hope that helps :)






          share|improve this answer




















          • suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
            – Master
            1 hour ago










          • @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
            – MLu
            1 hour ago












          up vote
          2
          down vote










          up vote
          2
          down vote









          While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.



          For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking



          Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.



          So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.



          On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.



          Hope that helps :)






          share|improve this answer












          While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.



          For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking



          Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.



          So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.



          On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.



          Hope that helps :)







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 1 hour ago









          MLu

          3,9281632




          3,9281632











          • suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
            – Master
            1 hour ago










          • @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
            – MLu
            1 hour ago
















          • suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
            – Master
            1 hour ago










          • @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
            – MLu
            1 hour ago















          suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
          – Master
          1 hour ago




          suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
          – Master
          1 hour ago












          @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
          – MLu
          1 hour ago




          @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
          – MLu
          1 hour ago

















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938605%2fis-there-need-for-waf-in-static-website-front-with-rest-api%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?