Is there need for WAF in static website front with REST API











up vote
4
down vote

favorite












I have two webistes




  1. www.mysite.com. -->hosted on s3 , served via cloudfront static single page APP


  2. Then i have api.mysite.com , which the front end uses.



My company is using WAF solution from thirdparty and current monolith applications are protected by it.



For the new site , i have put api.mysite.com behind WAF but i am not sure if i need to put static site behind WAF as well or not?



This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way










share|improve this question


























    up vote
    4
    down vote

    favorite












    I have two webistes




    1. www.mysite.com. -->hosted on s3 , served via cloudfront static single page APP


    2. Then i have api.mysite.com , which the front end uses.



    My company is using WAF solution from thirdparty and current monolith applications are protected by it.



    For the new site , i have put api.mysite.com behind WAF but i am not sure if i need to put static site behind WAF as well or not?



    This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way










    share|improve this question
























      up vote
      4
      down vote

      favorite









      up vote
      4
      down vote

      favorite











      I have two webistes




      1. www.mysite.com. -->hosted on s3 , served via cloudfront static single page APP


      2. Then i have api.mysite.com , which the front end uses.



      My company is using WAF solution from thirdparty and current monolith applications are protected by it.



      For the new site , i have put api.mysite.com behind WAF but i am not sure if i need to put static site behind WAF as well or not?



      This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way










      share|improve this question













      I have two webistes




      1. www.mysite.com. -->hosted on s3 , served via cloudfront static single page APP


      2. Then i have api.mysite.com , which the front end uses.



      My company is using WAF solution from thirdparty and current monolith applications are protected by it.



      For the new site , i have put api.mysite.com behind WAF but i am not sure if i need to put static site behind WAF as well or not?



      This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way







      amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 4 at 23:06









      Master

      404




      404






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          5
          down vote



          accepted










          While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.



          For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking



          Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.



          So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.



          On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.



          Hope that helps :)






          share|improve this answer





















          • suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
            – Master
            Nov 5 at 0:23






          • 1




            @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
            – MLu
            Nov 5 at 0:40











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "2"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938605%2fis-there-need-for-waf-in-static-website-front-with-rest-api%23new-answer', 'question_page');
          }
          );

          Post as a guest
































          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          5
          down vote



          accepted










          While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.



          For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking



          Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.



          So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.



          On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.



          Hope that helps :)






          share|improve this answer





















          • suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
            – Master
            Nov 5 at 0:23






          • 1




            @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
            – MLu
            Nov 5 at 0:40















          up vote
          5
          down vote



          accepted










          While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.



          For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking



          Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.



          So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.



          On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.



          Hope that helps :)






          share|improve this answer





















          • suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
            – Master
            Nov 5 at 0:23






          • 1




            @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
            – MLu
            Nov 5 at 0:40













          up vote
          5
          down vote



          accepted







          up vote
          5
          down vote



          accepted






          While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.



          For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking



          Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.



          So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.



          On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.



          Hope that helps :)






          share|improve this answer












          While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.



          For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking



          Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.



          So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.



          On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.



          Hope that helps :)







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 4 at 23:55









          MLu

          4,30411632




          4,30411632












          • suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
            – Master
            Nov 5 at 0:23






          • 1




            @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
            – MLu
            Nov 5 at 0:40


















          • suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
            – Master
            Nov 5 at 0:23






          • 1




            @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
            – MLu
            Nov 5 at 0:40
















          suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
          – Master
          Nov 5 at 0:23




          suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
          – Master
          Nov 5 at 0:23




          1




          1




          @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
          – MLu
          Nov 5 at 0:40




          @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
          – MLu
          Nov 5 at 0:40


















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938605%2fis-there-need-for-waf-in-static-website-front-with-rest-api%23new-answer', 'question_page');
          }
          );

          Post as a guest




















































































          這個網誌中的熱門文章

          Xamarin.form Move up view when keyboard appear

          Post-Redirect-Get with Spring WebFlux and Thymeleaf

          Anylogic : not able to use stopDelay()