Skip to main content


QuantCDN WAF is an optional extra that needs to be enabled for your account. To begin you will need to contact support and request WAF enablement for your organisation.

A WAF's aim is to protect dynamic systems from potentially harmful traffic patterns.

Enabling WAF for your application


When first enabling the WAF it is recommended to set the WAF in report mode. This will allow you to analyze traffic patterns and formulate a ruleset that will not impact your legitimate traffic.

Once your account has WAF enabled you can utilise the rules page to add WAF and configure WAF to a proxy rule.

To add a rule:

  1. Navigate to rules
  2. Create or edit a proxy rule
  3. Scroll down to WAF settings and check the Enable WAF

Quant Proxy Rule configuration

Configuration settings


General settings for the WAF.

WAF ModeBlockThe opeating mode of the WAF
WAF Level1How strict the WAF will be when analyising traffic

Rules and IP overrides

Always skip WAF ruleRemove specific rules from your WAF configuration and is used to tune the WAF for your application
Always allow from IPsAn IP allowlist that will be excluded from WAF analysis
Never allow from IPsA IP blocklist that will always be rejected by the WAF
Never allow from user agentUser agent blocklist
Never allow from refererHTTP referer blocklist

Block dictionaries

A dictionary of well-known bad actors that can be optionally enabled.

Block bad botsEnable the bot blocklist
Block bad referersEnable the referer blocklist
Block bad IPsEnable the IP blocklist


Enable Project Honeypot integration for the WAF

Enable Http:BLEnable project honeypot
Block suspicious IPsBlock IPs that project honeypot determines as suspicious
Block harvester IPsBlock any request that is determined to come from a data harvester
Block spam IPsBlock spam IPs
Block search enginesBlock requests that are marked as coming from search engines

IP rate limiting

To better protect your application, the WAF can be configured to provide rate limits to request IPs. The rate limiting protects against burst IP traffic, the request rate needs to be sustained over a short period to trigger.


When configuring the rate limit ensure to factor in asset requests — if you're average page load includes 200 assets this needs to be included as the rate limit is per proxy hit not per page view.

ModeDisbaledIf the rate limit is applied
RPS threshold10The number of requests that are required to trigger the rate limit
Cooldown period30Number of seconds a client's IP address will be restricted

When the rate limit is reached the WAF will respond with a 429 status code.

Request header rate limiting

ModeDisabledIf the header rate limiting is enabled
Header nameThe name of the header used to group requests and apply the
RPS Threshold5The number of requests per second a client needs to make in the window
Cooldown period30Number of seconds a blocked client will be restricted for

Notification settings

QuantWAF can trigger notifications to a nominated Slack channel when a block or rate limit rule is triggered.

Slack webhookYour applications webhook from Slack
Slack RPM thresholdControl the frequency of notifications to the webhook

Please see the Slack documentation for creating a webhook.