Web Application Firewall (WAF)

Public beta

WAF is currently in public beta. This feature is under active development and may have limited availability or functionality.

Arxignis WAF provides comprehensive protection for your web applications and APIs against a wide range of attacks and security threats.

Overview

Our WAF solution offers:

Real-time protection against OWASP Top 10 threats
API security with specialized protection
Custom rule creation for specific needs
Performance optimization with minimal latency
Cloud-native deployment across multiple platforms

Core Protection Features

OWASP Top 10 Protection

Comprehensive protection against the most critical web application security risks:

Injection - SQL, NoSQL, OS command injection
Broken Authentication - Session management flaws
Sensitive Data Exposure - Data leakage prevention
XML External Entities (XXE) - XML processing attacks
Broken Access Control - Authorization bypasses
Security Misconfiguration - Configuration vulnerabilities
Cross-Site Scripting (XSS) - Client-side attacks
Insecure Deserialization - Object injection attacks
Known Vulnerabilities - Component security issues
Insufficient Logging - Security event visibility

Rule expressions

Arxignis WAF evaluates rules using a Wirefilter-compatible expression language (Cloudflare Ruleset Engine style). Expressions run against each request and may trigger an action when matched.

Syntax: Boolean expressions with fields, literals, operators, grouping: (), and, or, not, ==, !=, <, <=, >, >=, in, contains, matches, starts_with(), ends_with(), etc.
Evaluation: First matching rule short-circuits. Invalid expressions are skipped and logged.
Source: Rules are stored in the database per organization; expired rules are ignored.

Operators and grouping

Operator	Description
`and`	Logical AND; both operands must evaluate to true.
`or`	Logical OR; at least one operand must evaluate to true.
`not`	Logical negation; inverts the boolean value of the operand.
`()`	Groups expressions to control precedence.
`==`	Equality comparison between operands of the same type.
`!=`	Inequality comparison between operands of the same type.
`<`, `<=`, `>`, `>=`	Relational comparison for numeric or lexicographic types.
`in`	Membership test against a set or range.
`contains`	True if left string contains the right substring.
`matches`	True if left string matches the right regular expression.

Precedence: not > and > or (use parentheses to make precedence explicit).

Supported fields

These fields are provided to expressions per request.

Field	Type	Description
`http.request.method`	Bytes	HTTP method (GET, POST, etc.).
`http.request.scheme`	Bytes	URL scheme (http, https).
`http.request.host`	Bytes	Request host (authority).
`http.request.port`	Int	Destination port.
`http.request.path`	Bytes	Path component only (no query).
`http.request.uri`	Bytes	Full URI including path and query.
`http.request.query`	Bytes	Raw query string.
`http.request.user_agent`	Bytes	User-Agent header value.
`http.request.content_type`	Bytes	Content-Type header value.
`http.request.content_length`	Int	Content length in bytes.
`http.request.body`	Bytes	Request body (as text/bytes).
`http.request.body_sha256`	Bytes	Hex-encoded SHA-256 of body.
`http.request.headers`	Map(Array(Bytes))	Map of all headers (header name → array of values).
`ip.src`	Ip	Source client IP address.
`ip.src.country`	Bytes	ISO country code from threat intelligence.
`ip.src.asn`	Int	Autonomous System Number.
`ip.src.asn_org`	Bytes	ASN organization name.
`ip.src.asn_country`	Bytes	ASN country code.
`threat.score`	Int	Threat intelligence score (0-100).
`threat.advice`	Bytes	Threat intelligence advice (allow, block, challenge).

Supported functions

The following functions are recognized and can be used in expressions. Only these are currently allowed; unsupported functions cause validation failure.

Function	Signature	Returns	Description
`all`	`all(array, predicate)`	bool	True if all elements satisfy the predicate.
`any`	`any(array, predicate)`	bool	True if any element satisfies the predicate.
`cidr`	`cidr(ip, cidr)`	bool	Checks if an IP is within the CIDR range.
`concat`	`concat(array)`	string	Concatenates array elements into a single string.
`decode_base64`	`decode_base64(bytes)`	bytes	Decodes a base64-encoded string.
`ends_with`	`ends_with(bytes, suffix)`	bool	Checks if a string ends with suffix.
`json_lookup_integer`	`json_lookup_integer(json_bytes, json_path)`	int	Extracts integer via JSON path.
`json_lookup_string`	`json_lookup_string(json_bytes, json_path)`	bytes	Extracts string via JSON path.
`len`	`len(array)`	int	Number of elements in array.
`lower`	`lower(bytes)`	bytes	Converts string to lowercase.
`remove_bytes`	`remove_bytes(bytes, remove)`	bytes	Removes occurrences of `remove` from input.
`remove_query_args`	`remove_query_args(url, args)`	bytes	Removes query parameters from URL.
`starts_with`	`starts_with(bytes, prefix)`	bool	Checks if a string starts with prefix.
`substring`	`substring(bytes, start, length)`	bytes	Extracts substring.
`to_string`	`to_string(any)`	bytes	Converts value to string representation.
`upper`	`upper(bytes)`	bytes	Converts string to uppercase.
`url_decode`	`url_decode(bytes)`	bytes	URL-decodes a string.
`uuid4`	`uuid4(seed_bytes)`	bytes	Generates UUIDv4 with optional seed.
`wildcard_replace`	`wildcard_replace(bytes, pattern, replacement)`	bytes	Replaces wildcard pattern in string.

Examples:

# Block requests with high threat scores
threat.score > 80 and threat.advice == "block"

# Block SQL injection attempts in query string
http.request.query contains "union select" or http.request.query contains "1=1"

# Block suspicious user agents
http.request.user_agent contains "scanner" or http.request.user_agent contains "bot"

# Allow only specific countries
ip.src.country not in {"US", "CA", "GB"}

# Check request body hash against known malicious payloads
http.request.body_sha256 == "a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3"

# Block POST requests to sensitive paths
http.request.method == "POST" and http.request.path starts_with "/admin"

Actions and response

Each rule has an action (default: block). When a rule matches:

Request is marked blocked, and the first match short-circuits further evaluation.
Response payload includes reason, action, and details about the matched rule.

Successful response (default, when originalEvent is not requested):

{
  "success": true,
  "reason": "Request blocked due to WAF rule <rule-id>",
  "action": "block",
  "details": {
    "blocked_by_waf": true,
    "matched_rule": "<rule-id>",
    "matched_rule_action": "block",
    "rules_matched": 1,
    "rules_processed": 3,
    "processed_at": "<rfc3339>"
  }
}

Notes:

Only idempotent HTTP methods (GET, PUT, DELETE, HEAD, OPTIONS, TRACE) are cached for 15s.
originalEvent=true query returns the full event instead of the summarized response.

Rule Engine

Pre-built Rules

Comprehensive rule sets for common threats:

SQL Injection - Database attack prevention
XSS Protection - Cross-site scripting defense
CSRF Protection - Request forgery prevention
File Upload Security - Malicious file prevention
Bot Protection - Automated attack prevention

Performance Optimization

Edge Computing

Global edge deployment for minimal latency
Local rule evaluation when possible
Caching of frequently used rules
Connection pooling for API calls

Rule Optimization

Rule ordering for optimal performance
Conditional evaluation to skip unnecessary checks
Caching of rule results
Batch processing for multiple requests

Monitoring and Analytics

Real-time Dashboard

Attack visualization with geographic mapping
Threat trends and patterns
Performance metrics and latency monitoring
Rule effectiveness analysis

Logging and Alerting

Detailed attack logs with full context
Real-time alerts for critical threats
SIEM integration for security teams
Custom dashboards for specific needs

Configuration Management

Rule Management

Version control for rule changes
A/B testing for rule effectiveness
Rollback capabilities for quick recovery
Environment promotion from dev to production

Policy Templates

Pre-built policy templates for common use cases:

E-commerce - Online store protection
SaaS Applications - Multi-tenant security
APIs - API-first application protection
Content Management - CMS security

Best Practices

Rule Development

Start with monitoring before blocking
Test rules thoroughly in staging
Document rule purposes and business justification
Regular rule reviews and updates

Performance

Monitor latency impact of rules
Optimize rule order for efficiency
Use caching where appropriate
Scale resources based on traffic

Security

Regular threat intelligence updates
Monitor for new attack vectors
Keep rules current with latest threats
Conduct security reviews regularly

Overview​

Core Protection Features​

OWASP Top 10 Protection​

Rule expressions​

Operators and grouping​

Supported fields​

Supported functions​

Actions and response​

Rule Engine​

Pre-built Rules​

Performance Optimization​

Edge Computing​

Rule Optimization​

Monitoring and Analytics​

Real-time Dashboard​

Logging and Alerting​

Configuration Management​

Rule Management​

Policy Templates​

Best Practices​

Rule Development​

Performance​

Security​