~45 min read · updated 2026-05-10

Security stack — WAF, DDoS, Bot Management, Page Shield, API Shield

What's on by default, what needs tuning, and the layered model that protects sites, APIs, and end users from the most common production threats.

This module is being expanded.

Coming in the next revision:

  • The default protections — every proxied zone gets DDoS protection (L3-L7), basic bot scoring, and IP reputation filtering for free. What that gives you out of the box.
  • WAF (Web Application Firewall) — managed rule sets, custom rules (Wirefilter syntax), rate limiting rules. Tuning vs over-blocking.
  • Bot Management — distinguishes between humans, good bots (search crawlers), and bad bots (scrapers, credential stuffers). Active-vs-passive detection.
  • Page Shield — script monitoring for client-side supply chain attacks. Catches when an attacker injects malicious JS into a third-party library.
  • API Shield — schema validation against your OpenAPI spec, JWT validation, mTLS, sequence-based abuse detection.
  • Rate Limiting — per-IP, per-token, per-fingerprint. The tools and the limits.
  • Account-level vs zone-level rules — when to apply what.
  • Logs and observability — Logpush to S3 / R2 / Datadog / Splunk; what fields are useful.

For the broader AppSec context see the shift-left/shift-right post and the DAST tooling posts on Acunetix and Invicti.

Next: Module 13 — Build a project.