Logo image

CDN Web Application Firewall Explained: Newbies & Advanced Users

As we’ve explored in previous articles, Content Delivery Networks use edge servers as worker bees, to compliment your main hosting provider by saving (caching) your website’s assets around the world.

This gets your content closer to customer locations (users accessing your site from their browsers), so there’s no latency (delays) which puts people off and lowers sales conversions. If you’re new to CDNs, these articles will get you up to speed:

In this installment, we’re going to dive into CDN WAF technology, recently added to Namecheap’s Supersonic CDN paid packages. If you’re a more advanced user, skip the next section where we break down what web applications firewalls are and how they work, for those who are new to the subject.

WAF CDN for Newbies

Even without a WAF, CDNs protect your website against DDoS attacks which overload your original server with fake traffic to slow down or even crash your website. This is because a CDN means you’re no longer relying on a single hosting server, your site content is spread out globally.

But WAFs take your security totally next level. To understand how, first we’ll do a comparison with the traditional type of firewall.

Traditional Firewalls vs. WAF

The typical firewall, installed on every computer these days, sits on the edge of your network and filters out incoming and outcoming traffic. To be more specific, it filters out IP addresses (the unique number assigned to each device’s online activity) and port numbers (identifiers of how an Internet or other network message will be forwarded when it arrives at a server).

The firewall sits at level 3 and 4 of the OSI Model i.e. Internet> Router> Firewall. So it’s your first line of defense. It can block suspicious traffic, but not analyze or prevent it. In the early days of the Internet this was enough for most users.

The problem now is that modern hacking techniques are so diverse that even next generation level 3 firewalls can’t keep you fully protected. As any network administrator would tell you, it’s basically like locking the front door of your house, but leaving the windows and the back door open. Cyber attacks happen at different network protocol layers, so different defense systems for each type of traffic are needed.

Drum roll the CDN WAF… a web application firewall works at level 7 of the OSI Model, right at the user interface point. It’s designed to scrutinise and protect Internet applications that use HTTP (the foundation of any online data exchange) to send or receive information between a client server (customer’s browser) and a website server.

How to make business cards

In an ideal scenario, web applications wouldn’t have vulnerabilities. But in reality that’s just not possible, even when developers do their best to make them secure. This is why patch releases to fix security gaps are so common in the software world. WordPress for example releases them weekly.

A WAF examines every HTTP/data exchange request. It acts to block or discard suspicious traffic, while allowing secure traffic to pass through. All with no interruption to service as far as customers are concerned.

It’s highly effective at preventing the most dangerous cyber threats that would otherwise go undetected:

  • Bots — non-human, automated traffic is blocked using advanced detection technology, including device fingerprinting.
  • Cross-site Scripting — blocks cybercriminals from injecting client-side (browser) scripts into web pages to gain access and scam users.
  • Denial of Service (DDoS) Attacks — all incoming traffic is carefully measured. If a threshold is exceeded, the traffic is challenged to verify it’s coming from a human, and blocked if it doesn’t match up.
  • OWASP Top 10 Threats — by default, Supersonic CDN WAF protects against the top ten security threats identified by the Open Web Application Security Project.
  • SQL Injection — this happens when hackers add code to forms and other input fields to gain access to applications or the site’s database. WAFs are effective at blocking this.

The last thing to mention is that while traditional firewalls and WAFs block ‘bad’ traffic at different levels during the data flow, they both operate according to set rules they’re programmed with. A good WAF will have all important protocols set as default, while allowing administrators to easily make bespoke changes from their dashboard.

How WAFs Work

Basically, any interaction people have in their browser is a web application. A WAF CDN will analyze and channel all traffic to and from your website, blocking all types of application (layer 7) threats. At the same time, traffic is accelerated and optimized with advanced caching, so that ‘good’ traffic races through and ‘bad’ traffic (like bots) is stopped in its tracks. Your website customers aren’t affected, and neither are your Google analytics.

In the case of Supersonic CDN WAF, all you’ll need to do is point your website to it, and everything kicks in automatically, with the settings already in place. You can tweak or deactivate settings from your dashboard if you have individual traffic needs, such as IP whitelists / blacklists. Any changes can be easily made and globally implemented at the touch of a button, there’s no wait for a reply from a Support ticket. But in general no major changes are needed, Supersonic CDN WAF is already preset to protect you against otherwise undetected malicious activity coming from the Internet. It’s done for you.

How to make business cards

What’s more, our WAF gets smarter, the more it operates. It continually analyzes traffic to understand behavior, inconsistencies, and reliability, using advanced intelligent algorithms. Every attack attempt just makes it stronger in protecting your website against emerging threats.

WAF CDN for Advanced Users

With level 7 OSI layer HTTP/HTTPS protection, your website will be secured across all of the following:

  • AJAX
  • Cookie Manipulation
  • Javascript
  • HEAD
  • GET
  • POST
  • Session Management
  • SSL
  • SQL Injection
  • URL
  • XSS

Precision Customization

Supersonic CDN WAF lets you set the rules. While it’s comprehensive default protocols are designed for zero-touch configuration, more advanced users can create specific, bespoke rules based on traffic data. These include precision configuration on IP, URL requested, geolocation, traffic rates, and more. Your custom rules can then be deployed instantly and globally.

Since the WAF comprehensively inspects and filters HTTP packets, you can set up rules to permit or block connections purely based on their content if you choose.

If a domain threshold, burst threshold, or sub-second burst threshold (all of which can be tailored to your needs) is exceeded, the WAF will challenge and block the traffic. You can even set predefined thresholds per domain. On the other hand, depending on the rules you set, legitimate traffic sources are allowed through, even during a DDoS attack.

How to make business cards

PCI 6.6 Compliance

If you run an ecommerce website, you’ll already know that it’s legally mandatory for any site which processes or stores credit card data to comply with the Payment Card Industry Data Security Standard (PCI-DSS).

Under their Requirement 6.6, it’s not only websites handling credit cards that need advanced security, it extends to sites handling other types of sensitive data. HIPAA (patient healthcare information), and SOX (financial information of public companies) require this compliance too. A WAF would be much more cost effective for you or your client than undergoing a code review for PCI 6.6 compliance.


A Web Application Firewall (WAF) gives your website major added security muscle — it effectively blocks a range of malicious traffic and cyber crime that would otherwise go undetected, while allowing healthy data exchange between your online business and customers to flow without interruption.

For newbies, this article has explained how Supersonic CDN WAF works, and how it differs from traditional firewalls which simply can’t cope with the full range of modern cyber threats. For more technically advanced users, we’ve also covered the customization precision and easy compliance for a range of sensitive data that you gain.

Why Choose Supersonic CDN WAF from Namecheap?

We’ve built a 20 year global track record of trust, for giving our customers a range of vital web services. From a range of useful apps to streamline your business, to domains and website solutions. Our new WAF, for all paid CDN packages, is available to Namecheap’s domain/DNS and managed EasyWordpress customers. Hosting users will also soon be able to benefit. Namecheap believes in giving people the businesses tools you need without the usual roadblocks — high quality, user-friendly and super affordable.

Need help? We're always here for you.