Web Application Firewall | Feature Requests

Web Application Firewall

Jijin P

We should be able to configure a firewall for webapps to block DDoS and other attacks.

May 15, 2020

Sean Dearnaley

+1 very important for our use case.

David Shunfenthal

+1 to this. We would like to be able to configure our access for providing more restricted rate limiting. The currently recommended solution for this (from Render), is to set up our own Cloudflare instance ourselves in front of Render to get any more control over the firewall (and things like DNS)

Julian Vergel de Dios

+1 to the merged in post. My current use case isn't even a malicious attack, it's a customer that has a service running somewhere in AWS that is just running continuously pinging our service and they are unresponsive to requests to stop. Ideally this is something handled at either the WAF level or even at the load balancer level. Right now I would have to do this at the application level which is less than ideal.

Sven Schwyn

At the very least, please add a setting to web workers which enables the "I'm under attack" mode of Cloudflare. And please define an environment variable such as

ATTACK_MODE

which is set in that case... in order to allow developers to conditionally enable more countermeasures on the app level (think: rack-throttle etc). Thanks a lot for considering this!

Anurag Goel

Merged in a post:

Web Application Firewall capability

Mica Cardillo

This could come in the form of a tutorial, addons, natively baked into Render, and/or best practices on how to approach this problem with services deployed on Render.
To adequately protect and defend our users data against a variety of attacks and minimize the surface area of a potential intrusion, we need the ability to implement mitigation measures, proactively and in real time.  
For example, maybe there is a /admin path which does not need to be accessed by traffic outside of a specific set of IP addresses. In many cases, phishing attacks can, or should be, detected and blocked before they reach service endpoints.
Another example would be if an phishing attack was coming from a specific country or IP address.  We might want the ability to block those requests before they reach our services.
Another example would be a distributed-style attack from a network of IOT devices attempting to brute force a password for a particular user.  We would have to be able to look at the characteristics of the attack and adapt as the characteristics of the attack change.
This is why we use tools like CloudFlare, CloudFront, Nginx with a WAF plugin, or AWS WAF. In the age where all sites are expected to protect user privacy and secure user data, these kinds of tools need to be easy to layer in front of our services.

June 16, 2020