Is there need for WAF in static website front with REST API

Clash Royale CLAN TAG#URR8PPP

up vote
3
down vote

favorite

I have two webistes

1. www.mysite.com. -->hosted on s3 , served via cloudfront static single page APP




2. Then i have api.mysite.com , which the front end uses.

My company is using WAF solution from thirdparty and current monolith applications are protected by it.

For the new site , i have put api.mysite.com behind WAF but i am not sure if i need to put static site behind WAF as well or not?

This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way

amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall

share|improve this question

asked 2 hours ago

Master

333

add a comment | 

up vote
3
down vote

favorite

I have two webistes

1. www.mysite.com. -->hosted on s3 , served via cloudfront static single page APP




2. Then i have api.mysite.com , which the front end uses.

My company is using WAF solution from thirdparty and current monolith applications are protected by it.

For the new site , i have put api.mysite.com behind WAF but i am not sure if i need to put static site behind WAF as well or not?

This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way

amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall

share|improve this question

asked 2 hours ago

Master

333

add a comment | 

up vote
3
down vote

favorite

up vote
3
down vote

favorite

I have two webistes

1. www.mysite.com. -->hosted on s3 , served via cloudfront static single page APP




2. Then i have api.mysite.com , which the front end uses.

My company is using WAF solution from thirdparty and current monolith applications are protected by it.

For the new site , i have put api.mysite.com behind WAF but i am not sure if i need to put static site behind WAF as well or not?

This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way

amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall

share|improve this question

asked 2 hours ago

Master

333

I have two webistes

1. www.mysite.com. -->hosted on s3 , served via cloudfront static single page APP




2. Then i have api.mysite.com , which the front end uses.

My company is using WAF solution from thirdparty and current monolith applications are protected by it.

For the new site , i have put api.mysite.com behind WAF but i am not sure if i need to put static site behind WAF as well or not?

This is mostly regarding preventing site against DDOS attacks or bots etc , we had many attacks before , so i want to make sure i do the thing right way

amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall

amazon-web-services web-server web-applications amazon-cloudfront web-application-firewall

share|improve this question

asked 2 hours ago

Master

333

share|improve this question

asked 2 hours ago

Master

333

share|improve this question

share|improve this question

asked 2 hours ago

Master

333

asked 2 hours ago

Master

333

asked 2 hours ago

Master

333

333

add a comment | 

add a comment | 

1 Answer
1

active

oldest

votes

up vote
2
down vote

While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.

For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking

Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.

So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.

On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.

Hope that helps :)

share|improve this answer

answered 2 hours ago

MLu

3,9281632

• 
  
  
  

  
  

  
  
  
  
  
  

  
  suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
  – Master
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
  – MLu
  1 hour ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938605%2fis-there-need-for-waf-in-static-website-front-with-rest-api%23new-answer', 'question_page');

);

Post as a guest

Name Email

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
2
down vote

While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.

For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking

Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.

So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.

On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.

Hope that helps :)

share|improve this answer

answered 2 hours ago

MLu

3,9281632

• 
  
  
  

  
  

  
  
  
  
  
  

  
  suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
  – Master
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
  – MLu
  1 hour ago
  

  
  
  
  

add a comment | 

up vote
2
down vote

While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.

For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking

Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.

So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.

On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.

Hope that helps :)

share|improve this answer

answered 2 hours ago

MLu

3,9281632

• 
  
  
  

  
  

  
  
  
  
  
  

  
  suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
  – Master
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
  – MLu
  1 hour ago
  

  
  
  
  

add a comment | 

up vote
2
down vote

up vote
2
down vote

While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.

For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking

Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.

So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.

On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.

Hope that helps :)

share|improve this answer

answered 2 hours ago

MLu

3,9281632

While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.

For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking

Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.

So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.

On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.

Hope that helps :)

share|improve this answer

answered 2 hours ago

MLu

3,9281632

share|improve this answer

share|improve this answer

answered 2 hours ago

MLu

3,9281632

answered 2 hours ago

MLu

3,9281632

answered 2 hours ago

MLu

3,9281632

3,9281632

• 
  
  
  

  
  

  
  
  
  
  
  

  
  suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
  – Master
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
  – MLu
  1 hour ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
  – Master
  1 hour ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  @Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
  – MLu
  1 hour ago
  

  
  
  
  

suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
– Master
1 hour ago

suppose if somebot is hitting the landing page 100 of times , and that page inturn calls api 100 times , will WAF still block him as 100 requests to API came from his IP?
– Master
1 hour ago

@Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
– MLu
1 hour ago

@Master The page doesn’t call the API, the browser that loads it does. If some bot loads your static index.html 100x it doesn’t mean it will make 100 API requests. Quite likely it won’t. And even if it did the API WAF should protect you. This doesn't have much to do with the static contents WAF.
– MLu
1 hour ago

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f938605%2fis-there-need-for-waf-in-static-website-front-with-rest-api%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email