Feature announcement: We've implemented the Platform.sh web application firewall onto all Enterprise and Elite projects.
There’s a lot of trust involved in releasing a production site. Trust in your engineers, trust in the hosting, trust in the framework you use to build it. You also need to trust in the traffic visitors generate. Because, truth is, there are bad actors out there looking to find and exploit weaknesses to mess with you and your customers. For this reason, a web application firewall (WAF) can be an important line of defense.
A WAF protects your applications from malicious requests and coordinated attacks. Some of these attacks exploit vulnerabilities in the framework you’ve built a site on, and others are a consequence of the HTTP protocol itself.
This week we’ve rolled out a new feature to all Enterprise and Elite customers: the Platform.sh WAF. The WAF monitors incoming requests to your sites. Should a request trigger any of the conditions outlined in our protection ruleset, it is filtered out, stripped of suspicious headers, or otherwise blocked entirely.
Potential vectors that the Platform.sh WAF protects your sites from include:
- HTTP protocol attacks: request smuggling, header injection, and response splitting
- Slowloris denial of service attacks
- A number of well known vulnerabilities in famous frameworks like Drupal and Magento
You can find a full list of protections implemented by our WAF in our security documentation.
No changes need to be made to your projects to get the Platform.sh WAF; it’s already been released onto all Enterprise and Elite projects on the layer between the outside world and your application. So release your production site with added trust in the security of your site and user data.