GH GambleHub

Web Application Firewall and protection against attacks

Brief Summary

WAF/WAAP filters and controls HTTP (S )/WebSocket traffic at the application level: blocks exploitation of vulnerabilities (OWASP Top 10), attempts to bypass authentication, scanning, automated bot traffic and L7 DDoS. The modern stack is complemented by an anti-bot engine, API protection, rate limiting, virtual patches, as well as tight integration with CI/CD so that the rules roll out as safely as the code.

Roles and place in architecture

Edge/CDN WAF (cloud): low latency, global reputation/Managed Rules, L7 DDoS.
Self-hosted WAF (on-prem/K8s): deep integration with internal networks, fine tuning.
WAAP approach: WAF + API-Gateway functions (schema-validation, authZ), anti-bot, L7 DoS, mTLS.
Inclusion schemes: Reverse-proxy before the application; Ingress controller in K8s; Service Mesh filters; sidecar.

Protection model

Negative security (signatures/CRS): fast coverage of known techniques (SQLi/XSS/SSRF/RCE).
Positive security (allow-list): allow only "valid" requests (methods/paths/schemas/content types).
Virtual Patching: online blocking of the exploit to the code fix.
Context: different policies for static content, API, admins, downloads, webhooks.

Typical threats and measures

OWASP Top 10: SQLi, XSS, IDOR/BOLA, SSRF, template injections, deserialization, misconfigs.
L7 DDoS: slow requests/headers, burst for hot endpoints → protection: rate-limits, challenge, auto-block.
Bots/scrapers: behavior, frequency, "inhuman" patterns, device fingerprinting, dynamic tokens.
Credential Stuffing/ATO: interception/enumeration of logins → anomaly by IP/ASN, velocity rules, additional factors.
Downloads: type/size/multiscan antivirus, "image-only" in media zones.
API/GraphQL: schema-validation, 'maxDepth '/' maxCost', prohibition of unpunished wildcards, control of methods and headers.

Policies and Rule Designers

Basic skeleton for any application:

1. Transport: TLS 1. 2+/1. 3, HSTS, mTLS on sensitive backends.

2. Methods: allow-list ('GET, POST, PUT, DELETE, PATCH, OPTIONS') is unique per resource.

3. Paths: strict masks/regexps; admin/billing - to a separate prefix/domain.

4. Headers: white lists, prohibition of dangerous ('X-Original-URL', non-standard) unnecessarily.

5. Bodies: JSON-only/Multipart-only along the route; limits' Content-Length ', block of binaries for "login/search."

6. Rate limits: per-IP/ASN/key/organization; separate limits on "expensive" requests.

7. Anti-bot: behavioral scoring, "non-irritating" challenges, gluing identities (cookie tokens, FP JA3/TLS).

8. CRS/Managed Rules: enabled, tuning under FP.

9. Wirth patches: fast blocking of known parameters/attack patterns.

10. Logs/metrics: uniform format, correlation with 'trace _ id', FP/TP reports.

Tuning practice: how to reduce false positives

Run new rules in Detect-only/Count-mode (shadow) with traffic sampling.
Create exceptions by context ('path =/search', 'param = q' allow special characters).
Divide the zone: "public pages" vs "sensitive operations" (the threshold of aggressiveness is different).
Conveyor: rule → staging → canary (1-5%) → prod; rollback by FP metrics.
Maintain a directory of "false" payload for regression tests.

Integration into DevSecOps

CI: static rules in Git; tests: replay real requests + synthetics from the attack directory.
CD: canary calculations, feature flags; "political" monitoring (rule change = change).
RASP and SAST/DAST: WAF supplements but does not replace code correction.

Observability and SLO

Metrics:
  • p95/99 latency via WAF; proportion of blocked/missed; share Managed Rules vs custom; «attack rate».
  • Anti-bot: share of challenges/change, FP/TP.
  • L7 DDoS: burst-rate, auto-mitigation events.
SLO examples:
  • "Not more than 0. 5% FP on authorized operations/day."
  • «p95 overhead WAF ≤ 10 мс».
  • "Virtual patch TTR ≤ 30 minutes."
  • Alerts: 4xx/5xx spike after rules release; FP growth; drop in captcha passage; degradation of JWKS/mTLS validation.

Sample Configurations

ModSecurity + OWASP CRS (Nginx)

nginx
Enabling ModSecurity modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main. conf;
`/etc/nginx/modsec/main. conf`: 
apache
SecRuleEngine On
Include /usr/local/owasp-modsecurity-crs/crs-setup. conf
Include /usr/local/owasp-modsecurity-crs/rules/.conf

Example of an exception for a search parameter
SecRule REQUEST_URI "@beginsWith /search" "id:900100,phase:1,pass,nolog,ctl:ruleRemoveByTag=attack-xss"
SecRule REQUEST_URI "@beginsWith /search" "id:900101,phase:2,pass,ctl:ruleRemoveTargetById=942100; ARGS:q"

AWS WAF (JSON, rate limit + country list block)

json
{
"Name": "prod-web-acl",
"Scope": "CLOUDFRONT",
"DefaultAction": { "Allow": {} },
"Rules": [
{
"Name": "BurstLogin",
"Priority": 1,
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"AggregateKeyType": "IP",
"ScopeDownStatement": { "ByteMatchStatement": {
"SearchString": "/login",
"FieldToMatch": { "UriPath": {} },
"TextTransformations": [{ "Priority": 0, "Type": "NONE" }],
"PositionalConstraint": "CONTAINS"
}}
}
},
"Action": { "Block": {} },
"VisibilityConfig": { "MetricName": "BurstLogin", "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true }
}
]
}

Cloudflare (Expression Rules)


(http. request. uri. path contains "/admin" and ip. geoip. country ne "UA")
or (http. request. uri. path eq "/login" and cf. threat_score > 10)
or (http. request. uri. path contains "/api" and not http. request. headers["authorization"][0] contains "Bearer ")

NGINX: Simple Method/Body Rule

nginx location /api/withdraw {
limit_except POST { deny all; }
if ($request_method = POST) {
set $cl $http_content_length;
if ($ cl = "") {return 411;} # length is required if ($ cl> 1048576) {return 413;} # ≤ 1MB add_header X-Idempotency-Required "true";
}
}

GraphQL: policers

'maxDepth = 6 ', 'maxCost = 1000', prohibition of '__ schema' in the sale, allow-list of operations, validation of headers ('Content-Type: application/json').

Anti-bot and man-friendly checks

Invisible challenge (JS challenges without captcha), proof-of-work on "expensive" paths, behavioral analytics (movements/timings).
TLS/JA3 fingerprinting, IP/ASN reputation, proxy/VPN lists (within reasonable limits).
Traps (honeypot fields) on forms, dynamic form/session tokens.
Privacy protection: minimizing tracking, transparent policies, opt-out options.

Focus API

Schema-first: OpenAPI/JSON Schema for validation; prohibition of extra fields.
Auth: mandatory Bearer JWT or mTLS; reject без `Authorization`.
Rate/Quota: per-key/per-org; if exceeded - "soft block "/slowing.
Webhooks: HMAC signature, 'timestamp + nonce', short reception window.
GraphQL: see limiters above; Log the name/label of the operation.

Downloads and Media

Size limit, whitelists MIME/extensions, renaming files;

AV scan (multi-engines), ImageMagick policy (without dangerous decoders);

Thumb service on a separate domain, serve-only-images.

Safety of admins and critical areas

Separate domain/path, mTLS/ban from common ASN/countries, hard rate limits, JIT accesses, IP allow-list.
Additional signals (device posture, risk score) → require a second check.

Operations, Incidents and Virtual Patches

Runbook: quick release of block rules, TTL restriction, command notification.
Rollback criteria: growth 4xx/5xx> threshold, FP> threshold, p95 latency↑.
Post-mortem: add test to regression rule set, commit SIGMA alert to SIEM.

Compliance and privacy

Log minimum: path/method/code/block reason/identifiers; do not store PII/body secrets.
Policy log retention periods; access - by roles; encryption on disk.

Features for iGaming/fintech

Payments/payouts/wallets: per-org quotas, mTLS to PSP, strict allow-lists of paths, HMAC for PSP webhooks.
ATO/bonus abuse: velocity rules for login/registration/promotional codes, behavioral limits and anti-bot.
Content providers/studios: individual domains/policies, IP/ASN allow-list, Time-to-Wallet monitoring/conversions on WAF impact.
Regional requirements: geo-policies (countries/regions), treatment transparency for GDPR.

Implementation Roadmap

1. Inventory of zones (public, API, admin panel, downloads).
2. Base profile: TLS, allow-list methods/paths, Managed Rules/CRS.
3. Rate limits + anti-bot on sensitive pathways.
4. Virtual patches and urgent rules process (SLA ≤ 30 min).
5. CI/CD for rules, staging/canary/shadow-mode.
6. Telemetry, SLO, regression tests of rules.
7. Periodic review of exceptions and "cleaning" of bypasses.

Common mistakes

"Turned on all CRS to maximum" → FP avalanche and team burnout.
Rules without canaries and shadow mode.
No segmentation: one policy for everything.
Ignoring API/GraphQL specifics (schema/limits).
Logs without correlation ('trace _ id') and without quality metrics.

FAQ

WAF replaces secure code?
No, it isn't. This is a mitigation layer and a "virtual patch," but the technical debt in the code must be eliminated.

How to understand that it's time to turn on hard blocks?
When the shadow mode report shows low FP and there are regression tests of the rules.

Do I need a separate WAF for the API?
Better WAAP/integration with API gateway: scheme, limits, authentication, webhook signatures.

Total

Efficient WAF/WAAP is a combination of basic CRS/Managed Rules, positive model, anti-bot, limits and virtual patches, supported by DevSecOps processes, telemetry and clear SLOs. This approach provides a quick response to vulnerabilities, resistance to automated attacks, and a predictable impact on UX and performance.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.