Implementing Fastly WAF: Security Best Practices
WAF Configuration Fundamentals Rule Set Implementation # Custom VCL for WAF integration sub vcl_recv { # Enable WAF for specific paths if (req.url.path ~ "^/api/") { set req.http.X-Fastly-WAF-Enabled = "true"; } # Custom headers for WAF logging set req.http.X-Environment = "production"; set req.http.X-Application = "api-gateway"; } Advanced Security Rules Custom Rule Configuration { "rule_id": "custom-sqli-protection", "severity": "critical", "conditions": { "operator": "and", "conditions": [ { "parameter": "REQUEST_URI", "operator": "contains", "value": "sql" }, { "parameter": "REQUEST_METHOD", "operator": "equals", "value": "POST" } ] }, "action": "block" } Logging and Monitoring Real-time Alert Configuration { "name": "waf-alerts", "endpoint_type": "https", "url": "https://alerts.example.com/webhook", "content_type": "application/json", "format": { "timestamp": "%{strftime({"%Y-%m-%d %H:%M:%S"}, time.start)}V", "client_ip": "%{req.http.Fastly-Client-IP}V", "request_id": "%{req.http.Fastly-Request-ID}V", "rule_id": "%{waf.rule_id}V", "severity": "%{waf.severity}V", "action": "%{waf.action}V", "message": "%{waf.message}V" } } Production Implementation # Terraform configuration for Fastly WAF resource "fastly_service_waf_configuration" "production" { name = "production-waf" rule_set { type = "owasp" version = "latest" } rule { rule_id = "1010020" status = "log" threshold = 10 } rule { rule_id = "1010030" status = "block" threshold = 5 } logging { name = "waf-logs" format = "${jsonencode({ timestamp = "%{strftime({"%Y-%m-%d %H:%M:%S"}, time.start)}V", client_ip = "%{req.http.Fastly-Client-IP}V", request_id = "%{req.http.Fastly-Request-ID}V", rule_id = "%{waf.rule_id}V", severity = "%{waf.severity}V", action = "%{waf.action}V", message = "%{waf.message}V" })}" } }