Web Application Firewall (WAF)
Synapse WAF provides comprehensive protection for your web applications and APIs against a wide range of attacks and security threats.
Overview
Our WAF solution offers:
- Real-time protection against OWASP Top 10 threats
- API security with specialized protection
- Custom rule creation for specific needs
- Performance optimization with minimal latency
- Cloud-native deployment across multiple platforms
Core Protection Features
OWASP Top 10 Protection
Comprehensive protection against the most critical web application security risks:
- Injection - SQL, NoSQL, OS command injection
- Broken Authentication - Session management flaws
- Sensitive Data Exposure - Data leakage prevention
- XML External Entities (XXE) - XML processing attacks
- Broken Access Control - Authorization bypasses
- Security Misconfiguration - Configuration vulnerabilities
- Cross-Site Scripting (XSS) - Client-side attacks
- Insecure Deserialization - Object injection attacks
- Known Vulnerabilities - Component security issues
- Insufficient Logging - Security event visibility
Rule expressions
Synapse WAF evaluates rules using a Wirefilter-compatible expression language (Cloudflare Ruleset Engine style). Expressions run against each request and may trigger an action when matched.
- Syntax: Boolean expressions with fields, literals, operators, grouping:
(),and,or,not,==,!=,<,<=,>,>=,in,contains,matches,starts_with(),ends_with(), etc. - Evaluation: First matching rule short-circuits. Invalid expressions are skipped and logged.
- Source: Rules are stored in the database per organization; expired rules are ignored.
Operators and grouping
| Operator | Description |
|---|---|
and | Logical AND; both operands must evaluate to true. |
or | Logical OR; at least one operand must evaluate to true. |
not | Logical negation; inverts the boolean value of the operand. |
() | Groups expressions to control precedence. |
== | Equality comparison between operands of the same type. |
!= | Inequality comparison between operands of the same type. |
<, <=, >, >= | Relational comparison for numeric or lexicographic types. |
in | Membership test against a set or range. |
contains | True if left string contains the right substring. |
matches | True if left string matches the right regular expression. |
Precedence: not > and > or (use parentheses to make precedence explicit).
Supported fields
These fields are provided to expressions per request.
| Field | Type | Description |
|---|---|---|
http.request.method | Bytes | HTTP method (GET, POST, etc.). |
http.request.scheme | Bytes | URL scheme (http, https). |
http.request.host | Bytes | Request host (authority). |
http.request.port | Int | Destination port. |
http.request.path | Bytes | Path component only (no query). |
http.request.uri | Bytes | Full URI including path and query. |
http.request.query | Bytes | Raw query string. |
http.request.user_agent | Bytes | User-Agent header value. |
http.request.content_type | Bytes | Content-Type header value. |
http.request.content_length | Int | Content length in bytes. |
http.request.body | Bytes | Request body (as text/bytes). |
http.request.body_sha256 | Bytes | Hex-encoded SHA-256 of body. |
http.request.headers | Map(Array(Bytes)) | Map of all headers (header name → array of values). |
ip.src | Ip | Source client IP address. |
ip.src.country | Bytes | ISO country code from threat intelligence. |
ip.src.asn | Int | Autonomous System Number. |
ip.src.asn_org | Bytes | ASN organization name. |
ip.src.asn_country | Bytes | ASN country code. |
threat.score | Int | Threat intelligence score (0-100). |
threat.advice | Bytes | Threat intelligence advice (allow, block, challenge). |
Supported functions
The following functions are recognized and can be used in expressions. Only these are currently allowed; unsupported functions cause validation failure.
| Function | Signature | Returns | Description |
|---|---|---|---|
all | all(array, predicate) | bool | True if all elements satisfy the predicate. |
any | any(array, predicate) | bool | True if any element satisfies the predicate. |
cidr | cidr(ip, cidr) | bool | Checks if an IP is within the CIDR range. |
concat | concat(array) | string | Concatenates array elements into a single string. |
decode_base64 | decode_base64(bytes) | bytes | Decodes a base64-encoded string. |
ends_with | ends_with(bytes, suffix) | bool | Checks if a string ends with suffix. |
json_lookup_integer | json_lookup_integer(json_bytes, json_path) | int | Extracts integer via JSON path. |
json_lookup_string | json_lookup_string(json_bytes, json_path) | bytes | Extracts string via JSON path. |
len | len(array) | int | Number of elements in array. |
lower | lower(bytes) | bytes | Converts string to lowercase. |
remove_bytes | remove_bytes(bytes, remove) | bytes | Removes occurrences of remove from input. |
remove_query_args | remove_query_args(url, args) | bytes | Removes query parameters from URL. |
starts_with | starts_with(bytes, prefix) | bool | Checks if a string starts with prefix. |
substring | substring(bytes, start, length) | bytes | Extracts substring. |
to_string | to_string(any) | bytes | Converts value to string representation. |
upper | upper(bytes) | bytes | Converts string to uppercase. |
url_decode | url_decode(bytes) | bytes | URL-decodes a string. |
uuid4 | uuid4(seed_bytes) | bytes | Generates UUIDv4 with optional seed. |
wildcard_replace | wildcard_replace(bytes, pattern, replacement) | bytes | Replaces wildcard pattern in string. |
Examples:
# Block requests with high threat scores
threat.score > 80 and threat.advice == "block"
# Block SQL injection attempts in query string
http.request.query contains "union select" or http.request.query contains "1=1"
# Block suspicious user agents
http.request.user_agent contains "scanner" or http.request.user_agent contains "bot"
# Allow only specific countries
ip.src.country not in {"US", "CA", "GB"}
# Check request body hash against known malicious payloads
http.request.body_sha256 == "a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3"
# Block POST requests to sensitive paths
http.request.method == "POST" and http.request.path starts_with "/admin"
Actions and response
Each rule has an action (default: block). When a rule matches:
- Request is marked blocked, and the first match short-circuits further evaluation.
- Response payload includes reason, action, and details about the matched rule.
Successful response (default, when originalEvent is not requested):
{
"success": true,
"reason": "Request blocked due to WAF rule <rule-id>",
"action": "block",
"details": {
"blocked_by_waf": true,
"matched_rule": "<rule-id>",
"matched_rule_action": "block",
"rules_matched": 1,
"rules_processed": 3,
"processed_at": "<rfc3339>"
}
}
Notes:
- Only idempotent HTTP methods (GET, PUT, DELETE, HEAD, OPTIONS, TRACE) are cached for 15s.
originalEvent=truequery returns the full event instead of the summarized response.
Rule Engine
Pre-built Rules
Comprehensive rule sets for common threats:
- SQL Injection - Database attack prevention
- XSS Protection - Cross-site scripting defense
- CSRF Protection - Request forgery prevention
- File Upload Security - Malicious file prevention
- Bot Protection - Automated attack prevention
Performance Optimization
Edge Computing
- Global edge deployment for minimal latency
- Local rule evaluation when possible
- Caching of frequently used rules
- Connection pooling for API calls
Rule Optimization
- Rule ordering for optimal performance
- Conditional evaluation to skip unnecessary checks
- Caching of rule results
- Batch processing for multiple requests
Monitoring and Analytics
Real-time Dashboard
- Attack visualization with geographic mapping
- Threat trends and patterns
- Performance metrics and latency monitoring
- Rule effectiveness analysis
Logging and Alerting
- Detailed attack logs with full context
- Real-time alerts for critical threats
- SIEM integration for security teams
- Custom dashboards for specific needs
Configuration Management
Rule Management
- Version control for rule changes
- A/B testing for rule effectiveness
- Rollback capabilities for quick recovery
- Environment promotion from dev to production
Policy Templates
Pre-built policy templates for common use cases:
- E-commerce - Online store protection
- SaaS Applications - Multi-tenant security
- APIs - API-first application protection
- Content Management - CMS security
Best Practices
Rule Development
- Start with monitoring before blocking
- Test rules thoroughly in staging
- Document rule purposes and business justification
- Regular rule reviews and updates
Performance
- Monitor latency impact of rules
- Optimize rule order for efficiency
- Use caching where appropriate
- Scale resources based on traffic
Security
- Regular threat intelligence updates
- Monitor for new attack vectors
- Keep rules current with latest threats
- Conduct security reviews regularly