WAF Rules: Protect Your CDN Zone

WAF Rules (Web Application Firewall) let you control who can reach your content and how much traffic they can send. They run at the edge, so abusive or unwanted requests are stopped before they ever touch your origin server, saving you bandwidth and protecting your application.

You manage them from the CubePath dashboard. Open your CDN zone, go to the WAF tab, and add the rules you want. Like Edge Rules, each WAF rule has a priority (lower numbers run first), optional matching conditions, an on/off switch, and an optional expiry date.

Matching conditions

Every WAF rule can target a subset of traffic or all of it. You can match by path, HTTP method, host, headers, query parameters, cookies, country, IP or network range (CIDR), and User Agent. Leave the conditions empty to apply the rule to the whole zone.

Rule types

Block or Allow by IP

Block specific IP addresses or whole network ranges (CIDR), or build an allow list so only the addresses you trust can reach the zone. Use it to ban an abusive source, or to lock a staging zone down to your office network.

Block or Allow by Country

Allow or block visitors based on the country their IP belongs to, using two letter country codes. Use it to meet regional requirements or to cut traffic from places you do not serve.

Block by User Agent

Block requests whose User Agent matches patterns you define, such as common scraping tools or unwanted bots. Use it to discourage scrapers and badly behaved crawlers.

Rate Limit

Caps how many requests a visitor can make in a time window. You set the number of requests, the period in seconds, and whether the limit counts per IP, per IP and host together, or globally for the whole zone. When a visitor goes over, further requests are rejected until the window resets. Use it to protect login pages, forms, and APIs from brute force and floods.

JavaScript Challenge

Asks the browser to silently solve a small challenge before the content is served. Real browsers pass it without the visitor noticing, while simple bots and scripts fail. Use it on pages that attract automated abuse but should stay open to real people.

Limit Download Speed

Caps the download speed for matching content, measured in kB/s. You can also allow a burst, so the first part of a file downloads at full speed before the limit applies. Use it to keep a few large downloads from saturating your bandwidth.

Limit Requests

Caps the number of requests per second from a single IP, with an optional burst allowance for short spikes. It is a lighter, per second companion to Rate Limit, good for smoothing out bursty traffic.

Limit Connections

Caps how many simultaneous connections a single IP can keep open. Use it to stop one client from tying up resources with many parallel connections.

Limit Bandwidth

Sets a monthly bandwidth ceiling, in GB, for the matching traffic. Use it to keep a single zone or path from running away with your transfer.

A few good practices

Prefer allow lists for private or internal zones, and block lists for fighting specific abuse.
Combine a rate limit with a JavaScript challenge on login and signup pages for strong protection against automated attacks.
Start rate limits generous and tighten them while watching your analytics, so you do not block real visitors by mistake.
Use the expiry date for temporary blocks during an incident, so they clean themselves up afterwards.

Next steps

Open your CDN zone, go to the WAF tab, and add a rate limit on your login or contact form. Then watch the Blocked Requests panel in your zone analytics to see what the edge is stopping for you. To shape caching, redirects, and headers for your content, see the companion guide on Edge Rules.

WAF Rules: Firewall, Rate Limiting, and Traffic Controls for Your CDN

On this page