[Requires a license]{class="badge positive"}

Protecting AEM websites using WAF rules

Learn how to protect AEM websites from sophisticated threats including DoS, DDoS, and bot abuse using Adobe-recommended Web Application Firewall (WAF) rules in AEM as a Cloud Service.

The sophisticated attacks are characterized by high request rates, complex patterns, and the use of advanced techniques to bypass traditional security measures.

IMPORTANT
WAF traffic filter rules require an additional WAF-DDoS Protection or Enhanced Security license. Standard traffic filter rules are available to Sites and Forms customers by default.
Transcript

Looking to protect your AEM website from more sophisticated threats? In this tutorial, you’ll learn how to use Adobe’s recommended web application firewall, or WAF, traffic filter rules in AEM as a cloud service to defend against advanced attacks like DDoS, complex bots, and attempts to bypass traditional security measures.

WAF traffic filter rules are designed to catch high-risk traffic patterns and block requests that use advanced techniques, such as protocol or payload-based attacks.

Adobe’s recommended WAF traffic filter rules leverage global threat intelligence to identify and stop attacks from known malicious IPs, as well as suspicious activity from any source. To get started, add the recommended WAF traffic filter rules to your project’s cdn.yml file in the config folder. For example, you can block requests that are flagged as attacks from known bad IP addresses.

Also log and alert on other suspicious requests.

This approach helps you minimize false positives while still providing robust protection.

Once your rules are pushed to Git repository, deploy them using your config pipeline. This activates the rules in your AEM environment.

Testing your WAF traffic filter rules is important. You can use tools like Nikto to simulate attacks, such as SQL injection attempts, and verify that your rules are detecting and blocking these threats. Review alerts in the AEM Action Center and use the AMCS CDN logs and Yelqay dashboards to analyze flagged requests, top attack types, and overall WAF activity.

As you monitor your site, pay attention to the types of attacks being detected and adjust your WAF traffic filter rules as needed.

You can fine-tune which WAF flags are used, and once you’re confident in your settings, move from logging to blocking for even stronger protection.

In summary, WAF traffic filter rules add an essential layer of defense for your AEM website, helping you stay ahead of sophisticated threats.

Learning objectives

  • Review the Adobe-recommended WAF rules.
  • Define, deploy, test, and analyze the results of the rules.
  • Understand when and how to refine the rules based on the results.
  • Learn how to use the AEM Actions Center to review alerts generated by the rules.

Implementation overview

The implementation steps include:

  • Adding the WAF rules to the AEM WKND project’s /config/cdn.yaml file.
  • Committing and pushing the changes to the Cloud Manager Git repository.
  • Deploying the changes to the AEM environment using the Cloud Manager config pipeline.
  • Testing the rules by simulating a DDoS attack using Nikto.
  • Analyzing the results using the AEMCS CDN logs and the ELK dashboard tool.

Prerequisites

Before proceeding, ensure you’ve completed the required setup as described in the How to set up traffic filter and WAF rules tutorial. Also, you have cloned and deployed the AEM WKND Sites Project to your AEM environment.

Review and define rules

Adobe-recommended Web Application Firewall (WAF) rules are essential for protecting AEM websites from sophisticated threats, including DoS, DDoS, and bot abuse. The sophisticated attacks are often characterized by high request rates, complex patterns, and the use of advanced techniques (protocol-based or payload-based attacks) to bypass traditional security measures.

Let’s review three recommended WAF rules that should be added to the cdn.yaml file in the AEM WKND project:

1. Block attacks from known malicious IPs

This rule blocks requests that both look suspicious and originate from IP addresses that are flagged as malicious. Because both of these criteria are met, we can be confident that the risk of false positives (blocking legitimate traffic) is very low. The known bad IPs are identified based on threat intelligence feeds and other sources.

The ATTACK-FROM-BAD-IP WAF flag is used to identify these requests. It aggregates several of the WAF flags listed here.

kind: "CDN"
version: "1"
metadata:
  envTypes: ["dev", "stage", "prod"]
data:
  trafficFilters:
    rules:
    - name: attacks-from-bad-ips-globally
      when:
        reqProperty: tier
        in: ["author", "publish"]
      action:
        type: block
        wafFlags:
          - ATTACK-FROM-BAD-IP

2. Log (and later block) attacks from any IP globally

This rule logs requests identified as potential attacks, even if the IP addresses aren’t found in threat intelligence feeds.

The ATTACK WAF flag is used to identify these requests. Similar to the ATTACK-FROM-BAD-IP, it aggregates several WAF flags.

These requests are likely malicious, but since the IP addresses are not identified in threat intelligence feeds, it can be prudent to start in log mode rather than block mode. Analyze the logs for false positives, and once validated, make sure to switch the rule to block mode.

...
    - name: attacks-from-any-ips-globally
      when:
        reqProperty: tier
        in: ["author", "publish"]
      action:
        type: log
        alert: true
        wafFlags:
          - ATTACK

Alternatively, you may choose to use block mode immediately, if your business requirements are such that you do not want to take any chance of allowing malicous traffic.

These recommended WAF rules provide an additional layer of security against known and emerging threats.

WKND WAF Rules

Prior to the introduction of the ATTACK-FROM-BAD-IP and ATTACK WAF flags (in July 2025), the recommended WAF rules were as follows. They contained a list of specific WAF flags to block requests that matched certain criteria, such as SANS, TORNODE, NOUA, etc.

...
data:
  trafficFilters:
    rules:
    ...
    # Enable WAF protections (only works if WAF is enabled for your environment)
      - name: block-waf-flags
        when:
          reqProperty: tier
          matches: "author|publish"
        action:
          type: block
          wafFlags:
            - SANS
            - TORNODE
            - NOUA
            - SCANNER
            - USERAGENT
            - PRIVATEFILE
            - ABNORMALPATH
            - TRAVERSAL
            - NULLBYTE
            - BACKDOOR
            - LOG4J-JNDI
            - SQLI
            - XSS
            - CODEINJECTION
            - CMDEXE
            - NO-CONTENT-TYPE
            - UTF8
...

The above rule is still valid, but it is recommended to migrate to the new rules that use the ATTACK-FROM-BAD-IP and ATTACK WAF flags provided you have not already customized the wafFlags to suit your business requirements.

You may migrate to the new rules to be consistent with the best practices by following these steps:

  • Review the existing WAF rules in your cdn.yaml file, which may look similar to the example above. Confirm there is no customization of the wafFlags that is specific to your business requirements.

  • Replace your existing WAF rules with the new Adobe-recommended WAF rules that use the ATTACK-FROM-BAD-IP and ATTACK flags. Make sure that all rules are in block mode.

If you had previously customized the wafFlags, you may still migrate to these new rules, but do so carefully, ensuring that any customizations are brought forward into the revised rules.

The migration should help you simplify your WAF rules while still providing robust protection against sophisticated threats. The new rules are designed to be more effective and easier to manage.

Deploy rules

To deploy the above rules, follow these steps:

  • Commit and push the changes to the Cloud Manager Git repository.

  • Deploy the changes to the AEM environment using the Cloud Manager config pipeline created earlier.

    Cloud Manager Config Pipeline

Test rules

To verify the effectiveness of the WAF rules, simulate an attack using Nikto, a web server scanner that detects vulnerabilities and misconfigurations. The following command triggers SQL injection attacks against the AEM WKND website, which is protected by the WAF rules.

$./nikto.pl -useragent "AttackSimulationAgent (Demo/1.0)" -D V -Tuning 9 -ssl -h https://publish-pXXXX-eYYYY.adobeaemcloud.com/us/en.html

Nikto Attack Simulation

To learn about attack simulation, review the Nikto - Scan Tuning documentation, which tells you how to specify the type of test attacks to include or exclude.

Review alerts

Alerts are generated when the traffic filter rules are triggered. You can review these alerts in the AEM Actions Center.

WKND AEM Actions Center

Analyze results

To analyze the results of the traffic filter rules, you can use the AEMCS CDN logs and the ELK dashboard tool. Follow the instructions from the CDN logs ingestion set-up section to ingest the CDN logs into the ELK stack.

In the following screenshot, you can see the AEM Dev environment’s CDN logs ingested into the ELK stack.

WKND CDN Logs ELK

Inside the ELK application the WAF Dashboard should show the
Flagged requests and corresponding values in client IP (cli_ip), host, url, action (waf_action), and rule-name (waf_match) columns.

WKND WAF Dashboard ELK

Also, the WAF Flags distribution and Top attacks panels show additional details.

WKND WAF Dashboard ELK

WKND WAF Dashboard ELK

WKND WAF Dashboard ELK

Splunk integration

Customers who have Splunk Log forwarding enabled can create new dashboards to analyze the traffic patterns.

To create dashboards in Splunk, follow Splunk dashboards for AEMCS CDN Log Analysis steps.

When and how to refine rules

Your goal is to avoid blocking legitimate traffic while still protecting your AEM websites from sophisticated threats. The recommended WAF rules are designed to be a starting point for your security strategy.

To refine the rules, consider the following steps:

  • Monitor traffic patterns: Use the CDN logs and ELK dashboard to monitor traffic patterns and identify any anomalies or spikes in traffic. Pay attention to the WAF flags distribution and Top attacks panels in the ELK dashboard to understand the types of attacks being detected.
  • Adjust wafFlags: If ATTACK flags are being triggered too frequently or
    you need to fine tune the attack vector, you can create custom rules with specific WAF flags. See a complete list of WAF flags in the documentation. Consider first trying out new custom rules in log mode.
  • Move to blocking rules: Once you have validated the traffic patterns and adjusted the WAF flags, you can consider moving to blocking rules.

Summary

In this tutorial, you learned how to protect AEM websites from sophisticated threats including DoS, DDoS, and bot abuse using Adobe-recommended Web Application Firewall (WAF) rules.

Use cases - beyond standard rules

For more advanced scenarios, you can explore the following use cases that demonstrate how to implement custom traffic filter rules based on specific business requirements:

Monitoring sensitive requests

Monitoring sensitive requests

Learn how to monitoring sensitive requests by logging them using traffic filter rules in AEM as a Cloud Service.

Learn more

Restricting access

Restricting access

Learn how to restrict access by blocking specific requests using traffic filter rules in AEM as a Cloud Service.

Learn more

Normalizing requests

Normalizing requests

Learn how to normalize requests by transforming them using traffic filter rules in AEM as a Cloud Service.

Learn more

Additional resources

recommendation-more-help
4859a77c-7971-4ac9-8f5c-4260823c6f69