Overview - Protecting AEM websites

Last update: July 16, 2025
  • Applies to:
  • Experience Manager as a Cloud Service

CREATED FOR:

  • Intermediate
  • Admin
  • Developer

Learn how to protect your AEM websites from Denial of Service (DoS), Distributed Denial of Service (DDoS), malicious traffic and sophisticated attacks using traffic filter rules, including its subcategory of Web Application Firewall (WAF) rules in AEM as a Cloud Service.

You also learn about the differences between standard traffic filter and WAF traffic filter rules, when to use them, and how to get started with Adobe-recommended rules.

IMPORTANT
WAF traffic filter rules require an additional WAF-DDoS Protection or Enhanced Security license. Standard traffic filter rules are available to Sites and Forms customers by default.

Introduction to traffic security in AEM as a Cloud Service

AEM as a Cloud Service leverages an integrated CDN layer to protect and optimize the delivery of your website. One of the most critical components of the CDN layer is the ability to define and enforce traffic rules. These rules act as a protective shield to help secure your site from abuse, misuse, and attacks—without sacrificing performance.

Traffic security is essential to maintain uptime, protect sensitive data, and ensure a seamless experience for legitimate users. AEM provides two categories of security rules:

  • Standard traffic filter rules
  • Web Application Firewall (WAF) traffic filter rules

The rule sets help customers prevent common and sophisticated web threats, reduce noise from malicious or misbehaving clients, and improve observability through request logging, blocking and pattern detection.

Difference between standard and WAF traffic filter rules

FeatureStandard Traffic Filter RulesWAF Traffic Filter Rules
PurposePrevent abuse such as DoS, DDoS, scraping, or bot activityDetect and react to sophisticated attack patterns (for example, OWASP Top 10), which also protects from bots
ExamplesRate limiting, geo-blocking, user-agent filteringSQL injection, XSS, known attack IPs
FlexibilityHighly configurable via YAMLHighly configurable via YAML, with predefined WAF flags
Recommended ModeStart with log mode, then move to block modeStart with block mode for ATTACK-FROM-BAD-IP WAF Flag and log mode for ATTACK WAF Flag, then move to block mode for both
DeploymentDefined in YAML and deployed via Cloud Manager Config PipelineDefined in YAML with wafFlags and deployed via Cloud Manager Config Pipeline
LicensingIncluded with Sites and Forms licensesRequires WAF-DDoS Protection or Enhanced Security license

The standard traffic filter rules are useful for enforcing business-specific policies, such as rate limits or blocking specific regions, as well as blocking traffic based on request properties and headers such as IP address, path or user agent.
The WAF traffic filter rules, on the other hand, provide comprehensive proactive protection for known web exploits and attack vectors, and have advanced intelligence to limit false positives (i.e., blocking legitimate traffic).
To define both types of rules, you use the YAML syntax, see Traffic Filter Rules Syntax for more details.

When and why to use them

Use standard traffic filter rules when:

  • You want to apply organization-specific limits, like IP rate throttling.
  • You are aware of specific patterns (for example, malicious IP addresses, regions, headers) that needs filtering.

Use WAF traffic filter rules when:

  • You want comprehensive, proactive protection from widespread known attack patterns (for example, injection, protocol abuse), as well as known malicious IPs, collected from expert datasources.
  • You want to deny malicious requests while limiting the chance of blocking legitimate traffic.
  • You want to limit the amount of effort to defend against common and sophisticated threats, by applying simple configuration rules.

Together, these rules provide a defense-in-depth strategy that allows AEM as a Cloud Service customers to take both proactive and reactive measures in securing their digital properties.

Adobe provides recommended rules for standard traffic filter and WAF traffic filter rules to help you quickly secure your AEM sites.

  • Standard traffic filter rules (available by default): Address common abuse scenarios such as DoS, DDoS and bot attacks against CDN edge, origin, or traffic from sanctioned countries.
    Examples include:

    • Rate limiting IPs that make more than 500 requests/second at the CDN edge
    • Rate limiting IPs that make more than 100 requests/second at the origin
    • Blocking traffic from countries listed by the Office of Foreign Assets Control (OFAC)

  • WAF traffic filter rules (requires add-on license): Provides additional protection against sophisticated threats, including OWASP Top Ten threats like SQL injection, cross-site scripting (XSS), and other web application attacks.
    Examples include:

    • Blocking requests from known bad IP addresses
    • Logging or blocking suspicious requests that are flagged as attacks
TIP
Start by applying the Adobe-recommended rules to benefit from Adobe’s security expertise and ongoing updates. If your business has specific risks or edge cases, or notices any false positives (blocking of legitimate traffic), you can define custom rules or extend the default set to meet your needs.