{"section":"tutorials","requestedLocale":"en","requestedSlug":"web-application-firewall-waf","locale":"en","slug":"web-application-firewall-waf","path":"docs/en/tutorials/security/vtex-shield/web-application-firewall-waf.md","branch":"main","content":"> ℹ️ This feature is part of the [VTEX Shield](/docs/tutorials/vtex-shield) product. If you're a VTEX client and want to adopt VTEX Shield for your business, contact our [Commercial Support](/docs/tracks/commercial-support). Additional fees may apply. If you're not a VTEX client but are interested in this solution, complete the [contact form](https://www.vtex.com/en-us/contact-us/).\n\nThe Web Application Firewall (WAF) is a security layer designed to protect web applications by monitoring and filtering internet traffic.\n\nWAF is specifically meant for HTTP (Hypertext Transfer Protocol) and HTTPS (HTTP Secure) communications, scanning inbound data to detect and block possible threats.\n\n![waf-en](https://cdn.statically.io/gh/vtexdocs/help-center-content/refs/heads/main/docs/en/tutorials/security/vtex-shield/web-application-firewall-waf_1.png)\n\nThe first step to using WAF is defining [security rules](#security-rules), which are determined by the VTEX Security team based on their analysis of information flow patterns. Based on these rules, the WAF continuously monitors web traffic. When it detects potentially harmful activity, it can block traffic, thus preventing the exploitation of vulnerabilities in the web application.\n\n## Security rules\n\nStores using VTEX Shield and choosing to use WAF have the following security rules against threats:\n\n| Threat | Security rule |\n|---|---|\n| Remote File Inclusions (RFI) | Detects attempts to include files, usually via scripts on the web server. |\n| Directory Traversal | Verifies and validates file names provided by users, preventing unauthorized access to sensitive files and folders. |\n| Cross-Site Scripting (XSS) | Prevents the injection of client-side scripts into the pages viewed by visitors. |\n| File upload | Detects attempts to upload files to the web server. |\n| Evasion techniques | Protects against some coding tricks used to try to bypass protection mechanisms. |\n| Unwanted access | Detects attempts to access admin or vulnerable pages, bots, and security scanning tools. |\n| Identified attacks | Prevents common attacks and known vulnerabilities. |\n| IP filter | Checks a list of IP addresses that have access permissions or restrictions. |\n| Tor network blocking | Prevents access to the site using the Tor browser. |\n\n> ℹ️ The selection of rules and the names displayed may vary based on the configuration set in the WAF provider and any customizations requested by the merchant.\n\n## Requesting WAF activation\n\nTo request WAF activation in your store, contact [VTEX Support](https://supporticket.vtex.com/support). Include the following information in the ticket:\n\n* URLs to be added to WAF.\n* Name and contact information (email and phone) for the point of contact with the VTEX Security team during activation.\n* Provider: To access WAF, all store URL traffic must go through the provider currently used by VTEX. If that's not the case, you need to complete a procedure with the VTEX Traffic team, which can take between 1 and 2 weeks.\n\nAfter the request, the period to activate WAF on the store URLs is 4 weeks, plus any time needed to migrate to the provider, if applicable.\n\n## WAF metrics\n\nVTEX Shield provides a dashboard for real-time monitoring of WAF metrics and activity. To view the dashboard in the VTEX Admin, go to **Apps > Shield > WAF**, or type **WAF** in the search bar.\n\nThe dashboard displays the following information and resources:\n\n* [Period filter](#period-filter)\n* [General metrics](#general-metrics)\n* [Actions](#actions)\n* [Rules](#rules)\n* [Attack types](#attack-types)\n* [Origin countries](#origin-countries)\n* [Devices](#devices)\n\n### Requirements\n\nTo view the page, you must:\n\n* Have WAF [activated](#request-waf-activation) in advance.\n* Be a user associated with a [role](https://help.vtex.com/en/docs/tutorials/roles) with the following [License Manager resource](https://help.vtex.com/en/docs/tutorials/license-manager-resources):\n\n  - **Product**: _CDN API_\n  - **Category**: _WAF Control_\n  - **Resource**: _View WafControl Metrics_\n\n### Period filter\n\nIn the upper-right corner, you can select the data time period by clicking the current period. The available options are:\n\n* **Today**\n* **Yesterday**\n* **Last 7 days**\n* **Last 14 days**\n* **Last 30 days**\n* **Custom period** allows selecting specific start and end dates, with a maximum interval of 30 days, limited to the last 60 days.\n\nAfter selecting the desired period, click `Apply` to update the dashboard metrics.\n\n### General metrics\n\nThe top section of the dashboard shows three main metrics:\n\n* **All requests:** Total number of requests analyzed by WAF during the selected period.\n* **Blocked:** Number and percentage of requests that were blocked by WAF before reaching the application because they were identified as threats.\n* **Allowed:** Number and percentage of requests permitted by WAF and forwarded to the application after analysis, considered safe.\n\n![waf-2-en](https://cdn.statically.io/gh/vtexdocs/help-center-content/refs/heads/main/docs/en/tutorials/security/vtex-shield/web-application-firewall-waf_2.png)\n\n### Actions\n\nThe Actions chart shows the trend of WAF activity over time, displaying the volume of requests by hour of the day, aggregated across the selected period. It allows you to identify traffic peaks at specific times.\n\nThe chart displays three main metrics:\n\n* **Blocked** (blue line): Requests blocked by WAF.\n* **Allowed** (purple line): Allowed requests.\n* **Total** (gray line): Total volume of requests analyzed.\n\n![waf-3-en](https://cdn.statically.io/gh/vtexdocs/help-center-content/refs/heads/main/docs/en/tutorials/security/vtex-shield/web-application-firewall-waf_3.png)\n\n### Rules\n\nThe **Rules** chart shows the security rules that were triggered during the selected period. You can view the data in two ways, using the options in the upper-right corner of the chart:\n\n* **Time:** Historical trend of when each rule was applied.\n* **Summary:** Consolidated actions per rule.\n\n![waf-4-en](https://cdn.statically.io/gh/vtexdocs/help-center-content/refs/heads/main/docs/en/tutorials/security/vtex-shield/web-application-firewall-waf_4.png)\n\n> ℹ️ The selection of rules and names displayed may vary according to the configuration defined by the WAF provider and any customizations requested by the merchant.\n\n### Attack types\n\nThe **Attack types** section includes a horizontal bar chart with the main threat types detected and their incidence volume.\n\nThe displayed attack types correspond to the most relevant for the store—for example, those with the highest incidence—and not necessarily the ones defined in the list. Learn more about common attacks in [OWASP Top 10](https://owasp.org/Top10).\n\n![waf-5-en](https://cdn.statically.io/gh/vtexdocs/help-center-content/refs/heads/main/docs/en/tutorials/security/vtex-shield/web-application-firewall-waf_5.png)\n\n### Origin countries\n\nThe **Origin countries** chart shows the geographic distribution of requests, allowing you to identify the countries of origin of access requests to your site, as analyzed by WAF. Countries are listed using three-letter codes, with horizontal bars indicating the request volume from each location.\n\n![waf-6-en](https://cdn.statically.io/gh/vtexdocs/help-center-content/refs/heads/main/docs/en/tutorials/security/vtex-shield/web-application-firewall-waf_6.png)\n\n### Devices\n\nThe **Devices** chart presents the percentage distribution of device types used to access the site in the requests analyzed by WAF:\n\n* **Desktop:** Accesses via desktop computers.\n* **Mobile:** Accesses via mobile devices.\n* **Tablet:** Accesses via tablets.\n* **Unknown:** Unidentified devices.\n\nThe data is presented in a pie chart with the corresponding percentages.\n\n![waf-7-en](https://cdn.statically.io/gh/vtexdocs/help-center-content/refs/heads/main/docs/en/tutorials/security/vtex-shield/web-application-firewall-waf_7.png)\n\n## Learn more\n\n* [VTEX Shield](/en/docs/tutorials/vtex-shield)"}