WAFs, CDNs, rate limiters - first line. Can't replace app-level security, but reduce surface and buy time.
WAFs
Inspects HTTP against rules. Always detection mode first - blocking legit traffic is worse than missing attacks.
Managed rules: OWASP CRS, bot rules, IP reputation.
Virtual patching: Zero-day drops, can't patch immediately? Deploy WAF rule to block exploit pattern. Remove after real fix.
Limitations: Bypassed by encoding. Can't understand business logic. Seatbelt, not crash avoidance.
Rate limiting
| Endpoint | Limit |
|---|---|
| Login | 10/min per IP |
| Password reset | 3/min per account |
| Registration | 5/min per IP |
At edge (recommended) or in app. Return rate limit headers so clients back off.
CDN security
DDoS absorption: Distribute across global network.
Origin shielding: All DNS to CDN. Origin only accepts CDN IPs. Keep origin IP private.
TLS: Full (strict) mode. "Flexible" = CDN to origin unencrypted.
Bot management
Detection: JS challenges, CAPTCHA, TLS fingerprinting, behavioural analysis.
Managed solutions (Cloudflare Bot Management, AWS WAF Bot Control) more effective than custom rules.
The takeaway
Deploy WAF in detection, tune, then block. Rate limit auth endpoints at edge. Hide origin behind CDN. Strict TLS. Review and tune regularly.