Information Technology Navigator

Tips, Advice & Insights from Technology Pros

4 Crucial Tips for Maintaining a Web Application Firewall for Retail

Posted by Chris Beamon

Thu, Sep 12, 2019



Retailers are under intense competition to deliver personal, seamless and differentiated on-line shopping experiences to ensure customer loyalty and drive growth. And while a retailer’s website must be extremely responsive and meet high user expectations, it must also be highly secure.

A cloud-based web application firewall (WAF) provides e-commerce sites with a level of data protection that eliminates website vulnerabilities, blocking bad actors and harmful traffic without degradation of the site’s performance.

Here are 4 crucial tips for retailers who have implemented a WAF


Most WAFs have the option to enable “good bots” meaning bots that provide data for search engines’ Search Engine Optimization (SEO). You should always enable “good bots” for your WAF and whitelist any web services that require a service to view your website. If there are any odd timeout issues with a service indexing or reviewing of your site, view logs in the WAF to see if it has mis-categorizing this traffic as malicious.

Whitelisting Tip: You may need to whitelist any web developer public IP’s if they start to see issues interacting with the website.

Rate Limiting

Most WAFs provide blocking of scrappers. Scrapping is a technique that can be used to quickly strip your site data. Price scrapping allows competitors to quickly adjust their prices to put their business at an immediate competitive advantage. Scrapping can also extend to content and media files on your site to imitate your exact offerings.

If you find that the native WAF blocking is not able to catch some scrappers, rate limiting is an additional level of recommended protection. A rate limit rule will limit website views to a certain frequency per minute, blocking out bad bots that may be trying to flood your site.

Rate Limiting Tip: You should also set the rate limit rule to go to Captcha to avoid a false positive with a potential consumer.


Caching can be a double-edged sword. It’s very important that you understand and review the options available. There have been times when enabling caching could potentially slow your site down depending upon how options are configured downstream.

Caching Tip: The advice here is to go with best practices suggested by your WAF provider and make sure you test to verify you are getting the expected performance gains. Do not assume that enabling caching will always make your site faster.


Nothing is worse than having a site outage after adding a WAF or a new WAF rule to your environment only to be blindsided as to where the failure lies. It’s best to monitor both the WAF IP and your source website site through different triggers (This could require creating exemptions on your firewall if you are only allowing traffic forwarded from the WAF into your firewall for that site). Once this is configured properly, you should know in seconds if there is an issue with your internal firewall/web server or WAF services.

Monitoring Tip:  It’s a best practice to subscribe to any status updates for your WAF services.


Retail websites continue to provide a very attractive and large attack surface area for bad actors. Having protection from a cloud WAF is a critical component of every retail cybersecurity strategy. Retail sites require significant care and feeding to ensure no loss of competitive advantage. Hopefully these suggestions will help you tune your environment effectively.

If you would like to learn more about how a fine-tuned cloud WAF can be used to protect your online assets, Daymark can help. Please contact us.