Skip to main content

Documentation Index

Fetch the complete documentation index at: https://gcore-doc-1046.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Web Application and API Protection (WAAP) is a single SaaS tool that combines all aspects of website security and traffic management, including Layer 7 DDoS protection, and web application security. Securing an application with WAAP involves three main steps:
  1. Create a Gcore CDN resource for the domain.
  2. Enable WAAP protection in the resource settings.
  3. Verify traffic behavior to help ensure legitimate requests are not blocked.
The following guide walks through this process and explains how to configure WAAP according to specific requirements.
TipAfter you enable WAAP, all traffic will be diverted to our network, and it may cause a temporary disruption for your users. We recommend setting up Gcore WAAP during a low-traffic period to minimize the impact.

Step 1. Create a CDN resource

To secure your web application and APIs with Gcore WAAP, it’s necessary to create a CDN resource associated with your website’s origin. If you also need to add an SSL certificate, check out the Add an SSL certificate to deliver content over HTTPS guide.
InfoWhen configuring a resource, you need to update your domain’s DNS records so they point to our network. This is necessary to allow all traffic to pass through WAAP.
If you don’t have Gcore CDN configured, follow the instructions from this guide: Create a CDN resource for the entire site.

Step 2. Enable WAAP in CDN resource settings

Once your CDN resource is set up, you can activate WAAP protection for it. Refer to the Protect CDN resources with Gcore WAAP guide for detailed instructions.

Step 3. Use WAAP in Monitoring mode

After you enable WAAP, it will be automatically set to the Monitoring mode. In this mode, all incoming requests are inspected, but no action is taken. It’s best to use Monitoring mode for several days before enabling the Protection mode to make sure that all security settings work correctly. Completing this step is important because it allows you to analyze requests and test the WAAP behavior before you fully activate it.
WarningIn Monitoring mode, all traffic is allowed to your domain, regardless of configured security rules and policy groups. This mode is only recommended for testing WAAP settings.

Step 4. View your domain traffic

While keeping WAAP in Monitoring mode, you can view all logged requests and check the corresponding actions that WAAP will take once you put it in Protection mode. Use the Events page to detect common traffic patterns and understand if the current configuration requires any adjustments.
  1. In the Gcore Customer Portal, navigate to WAAP > Events.
  2. Use the Domain filter to select your domain.
  3. Review the requests and the actions WAAP has taken.
Events page in the Customer Portal
You can also use additional filters to get more granular information about your traffic. For more details about the available filters check the section Why filtering matters. To view more information about an event, click on its row.

Step 5. Test your WAAP configuration

To achieve the desired WAAP behavior, we recommend that you navigate through your website as both a user and administrator. Navigating the website will generate entries in the Requests table. You can use this information to determine if you need to create Firewall rules or custom WAAP rules for some requests and let them access your website’s content. Specifically, review requests that relate to:
  • Your origin IP: IP address assigned to your device.
  • Your office IP: IP address assigned to your device within your office’s network.
  • Your workstation IP: IP address assigned to a workstation or specific computer in a network.
If you notice that WAAP will block such requests in Protection mode, you need to update your settings to prevent such a situation. You can find detailed instructions on how to update your settings in the following step. Check out the allow and block IP addresses guide for more information.

Step 6. Allow admins, bots, and CMS

Before WAAP is in Protection mode, you need to ensure that critical IP addresses, content management systems (CMS), and known bots are allowed to make successful requests. Check the WAAP policy groups for a full list of security policies and their detailed overview.

Allow admin IP addresses

If your domain doesn’t use a CMS, we highly recommend allowlisting the site administrator’s IP address:
  1. In the Gcore Customer Portal, navigate to WAAP > Firewall.
Firewall page in the Customer Portal
  1. Select the needed domain from the domain dropdown.
  2. In the Allowed IPs tab, click Add IP/IP range.
  3. Enter any admin user’s public IP address.
  4. Click Save.
Repeat these steps if needed.

Allow CMS

If you use content management systems, such as WordPress, allow traffic for CMS admins:
  1. In the Gcore Customer Portal, navigate to WAAP > Default Rules.
  2. Select the needed domain from the domain dropdown.
  3. Click the CMS Protection tab.
  4. Find the desired content management system and change its mode to Allow by clicking on the mode dropdown next to it.
Default Rules page with CMS Protection tab
TipThe WordPress WAF ruleset policy is enabled by default.

Allow Known Bots

Follow these steps to allow crawlers, scanners, monitoring bots, and similar tools to access your website:
  1. In the Gcore Customer Portal, navigate to WAAP > Bot Management.
  2. Select the needed domain from the domain dropdown.
  3. Click the Known Bots tab and enable the desired bot by changing its mode to Allow.
Bot Management page with Known Bots tab
The Known Bots list allows several trusted bots by default, which is why we recommend reviewing this list before enabling Protection mode.

Step 7. Configure your APIs

If you plan to serve JSON requests through an API on your domain, you can disable the JavaScript injection and CAPTCHA functionalities for specified API endpoints. You can manually add endpoints to API base path or configure the API Discovery feature to automatically detect and protect your APIs.

Step 8. Enable Protection mode

  1. In the Gcore Customer Portal, navigate to WAAP > Domains.
  2. Find the needed domain in the list.
  3. In the WAAP domain mode column, click the mode dropdown and select Protection. WAAP will begin to inspect and act upon incoming requests.
WAAP modes dropdown on Domains page

Step 9. Block non-Gcore traffic

After successful DNS propagation and verifying that domain-based traffic is being handled by WAAP, ensure that all requests to your domain are routed through Gcore servers. This is necessary to prevent unauthorized traffic from bypassing WAAP and directly reaching your domain.