Is there need for WAF in static website front with REST API
up vote
4
down vote
favorite
I have two webistes
www.mysite.com. -->hosted on s3
, served via cloudfront static single page APPThen i have
api.mysite.com
, which the front end uses.
My company is using WAF solution
from thirdparty and current monolith applications are protected by it.
For the new site , i have put api.mysite.com
behind WAF but i am not sure if i need to put static site behind WAF as well or not?
This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way
amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall
add a comment |
up vote
4
down vote
favorite
I have two webistes
www.mysite.com. -->hosted on s3
, served via cloudfront static single page APPThen i have
api.mysite.com
, which the front end uses.
My company is using WAF solution
from thirdparty and current monolith applications are protected by it.
For the new site , i have put api.mysite.com
behind WAF but i am not sure if i need to put static site behind WAF as well or not?
This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way
amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall
add a comment |
up vote
4
down vote
favorite
up vote
4
down vote
favorite
I have two webistes
www.mysite.com. -->hosted on s3
, served via cloudfront static single page APPThen i have
api.mysite.com
, which the front end uses.
My company is using WAF solution
from thirdparty and current monolith applications are protected by it.
For the new site , i have put api.mysite.com
behind WAF but i am not sure if i need to put static site behind WAF as well or not?
This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way
amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall
I have two webistes
www.mysite.com. -->hosted on s3
, served via cloudfront static single page APPThen i have
api.mysite.com
, which the front end uses.
My company is using WAF solution
from thirdparty and current monolith applications are protected by it.
For the new site , i have put api.mysite.com
behind WAF but i am not sure if i need to put static site behind WAF as well or not?
This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way
amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall
amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall
asked Nov 4 at 23:06
Master
404
404
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
5
down vote
accepted
While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.
For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking
Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.
So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.
On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.
Hope that helps :)
suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
– Master
Nov 5 at 0:23
1
@Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
– MLu
Nov 5 at 0:40
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
5
down vote
accepted
While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.
For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking
Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.
So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.
On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.
Hope that helps :)
suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
– Master
Nov 5 at 0:23
1
@Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
– MLu
Nov 5 at 0:40
add a comment |
up vote
5
down vote
accepted
While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.
For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking
Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.
So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.
On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.
Hope that helps :)
suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
– Master
Nov 5 at 0:23
1
@Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
– MLu
Nov 5 at 0:40
add a comment |
up vote
5
down vote
accepted
up vote
5
down vote
accepted
While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.
For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking
Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.
So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.
On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.
Hope that helps :)
While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.
For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking
Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.
So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.
On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.
Hope that helps :)
answered Nov 4 at 23:55
MLu
4,30411632
4,30411632
suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
– Master
Nov 5 at 0:23
1
@Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
– MLu
Nov 5 at 0:40
add a comment |
suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
– Master
Nov 5 at 0:23
1
@Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
– MLu
Nov 5 at 0:40
suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
– Master
Nov 5 at 0:23
suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
– Master
Nov 5 at 0:23
1
1
@Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
– MLu
Nov 5 at 0:40
@Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
– MLu
Nov 5 at 0:40
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938605%2fis-there-need-for-waf-in-static-website-front-with-rest-api%23new-answer', 'question_page');
}
);
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password