How to Configure and Manage Web Application Firewall (WAF) on Umbraco Cloud
Web Application Firewall (WAF) is a critical feature for enhancing the security and performance of your Umbraco Cloud project. This guide provides an overview of WAF functionality, configuration steps, traffic management options, and best practices for search engine indexing.
Overview of WAF on Umbraco Cloud
WAF on Umbraco Cloud helps protect your website from malicious traffic by filtering and blocking harmful requests. It can also assist in managing bot traffic and reducing costs associated with unwanted traffic spikes. Enabling WAF does not interfere with Google Indexing, but specific issues may require further investigation.
Configuration and Setup
Enabling WAF and Managed Challenge
To enable WAF on your Umbraco Cloud project, follow the steps outlined in the official documentation. If you wish to enable the managed challenge feature, you will need assistance from Umbraco's 2nd-level support team (if that is your case, type "human").
WAF Sensitivity Settings
Sensitivity Off: Provides no protection as it does not block any requests.
Low Sensitivity: Blocks malicious requests with high confidence, resulting in fewer blocks and minimal false positives.
High Sensitivity: Blocks malicious requests with medium confidence, applying stricter filtering but with a higher chance of false positives.
Choose the sensitivity level that best suits your security needs and apply it to the relevant hostnames.
Traffic Management
Blocking IPs and Managing Traffic
You can configure WAF rules to block specific IP addresses or regions, helping to mitigate unwanted traffic. This can be particularly useful for reducing bot traffic and associated costs. Note that there is no additional cost for enabling WAF and managed challenge. While you can set up WAF rules yourself, direct access to the Cloudflare account for reports and account-level management is not available. For advanced configurations, contact Umbraco support.
Search Engine Indexing
Preventing Indexing of Default Hostname
To prevent search engines from indexing the default Umbraco Cloud hostname while keeping your primary domain indexed, follow these best practices:
robots.txt: Serve a robots.txt file that disallows crawling for the default hostname (e.g., [DEFAULT_UMBRACO_HOST]). For your primary domain (e.g., www.example.com), serve a robots.txt file that permits crawling. This can be implemented dynamically based on the request host or by serving separate files per hostname.
noindex Directive: Add a noindex directive for pages on the default hostname using an HTTP header (X‑Robots‑Tag: noindex) or a meta robots tag in your layout, conditional on the host.
Redirect Rules: Avoid including the Umbraco backoffice (/umbraco) in redirect rules to ensure uninterrupted access to Deploy and backoffice functionalities.
Support and Advanced Configurations
For advanced configurations, such as enabling managed challenges or accessing detailed Cloudflare reports, type "human" to reach out to our teammates at Umbraco support. While some configurations can be managed independently, support intervention may be required for specific features.
By following this guide, you can effectively configure and manage WAF on Umbraco Cloud to enhance your website's security, manage traffic, and optimize search engine indexing.