WAF Protection
The WAF tab allows you to enable and configure security rules that protect your website from common attacks.
What is a WAF?
A Web Application Firewall (WAF) inspects incoming HTTP requests and blocks malicious traffic based on predefined security rules. It protects against:
- SQL Injection attacks
- Cross-Site Scripting (XSS)
- Remote File Inclusion
- Command Injection
- Path Traversal
- Protocol violations
- Scanner/bot detection
- And many more attack types
Master WAF Toggle
At the top of the WAF tab, you’ll find the master Enable WAF Protection toggle.
When enabled: All configured WAF rules are active and protecting your site.
When disabled: All WAF protections are turned off. Traffic passes through without inspection.
Use case for disabling: Troubleshooting false positives, testing backend behavior, temporary maintenance.
Default WAF Action
Configure how Atomic Edge responds when a WAF rule is violated:
| Action | Description | Use Case |
|---|---|---|
| Default | Use the action specified in each rule file | Standard operation |
| 403 Forbidden | Return "Access Denied" error | Clear communication to attacker |
| 404 Not Found | Pretend resource doesn’t exist | Stealth mode |
| Drop Connection | Silently terminate without response | Frustrate attackers |
Note: Custom WAF actions require a Pro plan or higher.
WAF Rule Groups
Atomic Edge offers several rule groups you can enable independently:
OWASP Core Rule Set (CRS)
The industry-standard WAF ruleset maintained by OWASP (Open Web Application Security Project). Provides comprehensive protection against common web attacks.
Includes protection for:
- SQL Injection (SQLi) – Rule IDs 942xxx
- Cross-Site Scripting (XSS) – Rule IDs 941xxx
- Remote File Inclusion (RFI) – Rule IDs 931xxx
- Local File Inclusion (LFI) – Rule IDs 930xxx
- Protocol violations – Rule IDs 920xxx
- Scanner detection – Rule IDs 913xxx
- Session fixation – Rule IDs 943xxx
Recommended for: All websites
WordPress ModSecurity Ruleset
Specialized rules for WordPress sites that understand WordPress-specific attack patterns and protect WordPress-specific endpoints.
Includes protection for:
wp-adminbrute force attemptsxmlrpc.phpattacks- Theme/plugin vulnerability exploits
- WordPress-specific SQL injection patterns
Recommended for: WordPress websites only
Comodo WAF Rules
Additional commercial-grade ruleset providing extra protection layers with different detection methodologies.
Recommended for: High-security requirements, defense in depth
Managing Individual Rules
Each rule group contains hundreds of individual rules. By default, all rules are enabled when you enable a group.
Using the "Manage Individual Rules" Button
- Enable a rule group with the toggle
- Click Manage Individual Rules button
- A modal opens showing all rules in that group
- Use the search bar to find specific rule IDs
- Toggle individual rules on/off as needed
- Click Save to apply changes
Bulk Actions
The rule management modal includes bulk actions:
- Enable All: Turn on all rules in the group
- Disable All: Turn off all rules (not recommended)
Search Functionality
For large rulesets (500+ rules), use the search bar:
- Type a rule ID (e.g.,
949110) - Results filter automatically as you type
- Matching sections auto-expand for visibility
- Click the X button to clear the search
Disabling Specific Rules
If you experience false positives (legitimate traffic being blocked):
- Check your WAF Logs in the Analytics tab to identify the triggering rule ID
- Go to the WAF tab
- Find the rule group containing the rule
- Click Manage Individual Rules
- Search for the rule ID
- Toggle it off
- Save your changes
Example false positives:
- Rule 920350 blocking legitimate special characters
- Rule 941100 blocking benign JavaScript
- Rule 942100 blocking legitimate SQL-like content
Important: Only disable rules when you’ve verified they’re causing false positives. Each disabled rule reduces your security protection.
Rule ID Reference
OWASP CRS Rule ID Ranges
| Range | Category |
|---|---|
| 901xxx | Initialization |
| 905xxx | Method enforcement |
| 910xxx | IP reputation |
| 911xxx | Method enforcement |
| 913xxx | Scanner detection |
| 920xxx | Protocol enforcement |
| 921xxx | Protocol attack |
| 930xxx | Local file inclusion |
| 931xxx | Remote file inclusion |
| 932xxx | Remote code execution |
| 933xxx | PHP injection |
| 934xxx | Node.js injection |
| 941xxx | Cross-site scripting (XSS) |
| 942xxx | SQL injection |
| 943xxx | Session fixation |
| 944xxx | Java injection |
| 949xxx | Blocking evaluation |
| 959xxx | Outbound anomaly |
Best Practices
- Start with OWASP CRS – It’s the most widely tested and reliable ruleset
- Monitor your logs – Check WAF logs daily in the first few days after enabling
- Test on staging first – Enable new rule groups on a staging site before production
- Document disabled rules – Keep track of which rules you disable and why
- Review periodically – Re-evaluate disabled rules when you update your application
- Use the search – For large rulesets, use the search feature to quickly find specific rules
Troubleshooting
My site is blocking legitimate traffic
- Check the WAF logs in the Analytics tab
- Note the rule ID that triggered
- Verify it’s a false positive (legitimate request being blocked)
- Disable that specific rule using the "Manage Individual Rules" modal
- Monitor logs to confirm the issue is resolved
WAF not blocking attacks
- Verify the master WAF toggle is enabled
- Check that rule groups are enabled
- Verify DNS is properly configured (traffic must flow through Atomic Edge)
- Check if the attacker’s IP is in your whitelist
Performance concerns
- WAF inspection adds ~10-30ms per request (necessary for security)
- The "Manage Individual Rules" modal may take a moment to load for large rulesets
- Use the search feature instead of scrolling through 500+ rules
Plan Limits
| Feature | Free | Pro | Enterprise |
|---|---|---|---|
| WAF Rule Groups | All | All | All |
| Custom WAF Action | ✗ | ✓ | ✓ |
| Individual Rule Control | ✓ | ✓ | ✓ |
Frequently Asked Questions
What is a WAF?
Web Application Firewall explainedA Web Application Firewall (WAF) inspects incoming HTTP requests and blocks malicious traffic based on predefined security rules. It protects against SQL injection, XSS, path traversal, and other common attacks.
How do I enable WAF protection?
Master toggle and rule groupsNavigate to the WAF tab in your site settings and enable the master WAF toggle. Then select which rule groups to enable. We recommend enabling the OWASP Core Rule Set for comprehensive protection.
What is the OWASP Core Rule Set?
Industry-standard WAF rulesetThe OWASP Core Rule Set (CRS) is a community-maintained set of security rules that provides protection against the OWASP Top 10 vulnerabilities including SQL injection, XSS, and remote file inclusion.
What WAF action should I use?
Block responses explainedChoose 403 Forbidden for clear communication to attackers, 404 Not Found for stealth mode, or Drop Connection to silently terminate requests. The default action is usually 403 Forbidden.
How do I fix false positives?
Disable specific rules causing issuesCheck your WAF logs to identify the rule ID causing false positives. Go to the WAF tab, click Manage Individual Rules for the relevant rule group, search for the rule ID, and toggle it off.
Can I enable rules individually?
Granular rule managementYes. Click the Manage Individual Rules button for any rule group to view and toggle individual rules. Use the search bar to find specific rule IDs quickly.
Should I enable the WordPress ruleset?
WordPress-specific protectionEnable the WordPress ModSecurity Ruleset only if your site is running WordPress. It provides additional protection for wp-admin, xmlrpc.php, and WordPress-specific attack patterns.
How do I find which rule blocked a request?
Using WAF logsGo to the Analytics tab and view WAF logs. Each blocked request shows the rule ID that triggered. You can then search for this rule ID in the WAF tab to disable it if needed.