Understanding the Web Application Firewall (WAF)

What is the WAF?

Boottify includes a built-in Web Application Firewall (WAF) that monitors all incoming HTTP requests and blocks malicious traffic before it reaches your applications. The WAF operates with 34 detection rules across 9 OWASP attack categories.

Attack Categories

The WAF covers these categories of threats:

• Probe — Scanning and reconnaissance attempts (path traversal, admin probes)
• Injection — SQL injection, command injection, LDAP injection
• XSS (Client) — Cross-site scripting via URL parameters, headers, or form data
• File Inclusion — Local and remote file inclusion attempts
• RCE — Remote code execution via shell commands or code injection
• Protocol — HTTP protocol abuse and malformed requests
• Bot — Automated bot detection and blocking
• Rate — Excessive request rate from single IPs
• Honeypot — Decoy paths that trigger instant bans (e.g., /wp-admin, /phpmyadmin)

Anomaly Scoring

Instead of blocking on every single rule match, the WAF uses an anomaly scoring system. Each rule has a severity level that adds points to an IP's threat score:

• Critical (100 points) — Instant ban. Used for confirmed attack payloads.
• High (50–60 points) — Severe threats that quickly reach the ban threshold.
• Medium (35–40 points) — Suspicious activity that accumulates over time.
• Low (10–20 points) — Minor alerts that only matter when combined.

When an IP's accumulated score reaches 50 points, it is automatically banned.

IP Reputation

The WAF maintains an IP reputation database that tracks threat scores over time. This data is cached in Redis with a 7-day TTL and persisted to the database. You can view IP reputation details, threat history, and geographic information in the Admin > Server > Security dashboard.

Threat Intelligence Feeds

The platform integrates with 11 external threat intelligence feeds to proactively block known malicious IPs:

• Spamhaus EDROP
• IPsum Level 5
• Tor Exit Nodes
• Firehol Level 1
• And 7 more community-maintained blocklists

Viewing WAF Activity

Navigate to Admin > Server > Security to view:

• Real-time attack timeline (last 24 hours)
• Detection rules grouped by category
• IP intelligence details with reputation scores
• Blocked request counts and trends

Honeypot Rules

The WAF includes honeypot rules that monitor decoy paths commonly targeted by automated scanners. Any request to these paths (such as /wp-admin, /phpmyadmin, or /.env) results in an immediate 365-day ban. These paths have no legitimate use on the platform and serve as reliable indicators of malicious intent.