What WAF rules should I use for API protection?

Block known bad user agents (scrapers, headless browsers). Consider blocking datacenter IPs. Use rate limiting. Add managed rules for SQLi and XSS.

Should I block datacenter IPs for my API?

It depends. If your API is for end-users only, blocking datacenter IPs can reduce abuse. If your API is for servers (e.g., B2B), you'll need to allow them.

What is the difference between WAF and rate limiting?

WAF blocks based on request characteristics (user agent, IP, pattern). Rate limiting caps request volume. Use both for defense in depth.

WAF Rules for API Protection | StackRail

What this problem means

A Web Application Firewall (WAF) sits in front of your API and blocks or challenges requests based on rules. Bad user agents, suspicious IPs, known attack patterns—WAF can stop them before they reach your origin.

Why this matters

- Abuse prevention: Block known bad actors before they hit your API.

- Cost control: Fewer abusive requests = lower bills.

- Defense in depth: WAF + rate limiting + auth = multiple layers.

Real-world example

A startup added Cloudflare WAF rules to block known scrapers and datacenter IPs. Combined with rate limiting, abuse dropped by 90%. They didn't need to change application code—just WAF configuration.

How to fix it

1. Bad user agents: Block curl, wget, headless browsers, and known scrapers for sensitive endpoints.

2. Datacenter IPs: Block or challenge traffic from AWS, GCP, and other datacenter ranges (if your API isn't for servers).

3. Rate limiting: Combine with rate limiting rules.

4. Geo-blocking (optional): Block regions you don't serve.

5. Managed rules: Use AWS WAF or Cloudflare managed rule sets for common attacks (SQLi, XSS).

Tools and configurations

- Cloudflare WAF: Custom and managed rules.

- AWS WAF: Custom rules, managed rule groups.

- Rule conditions: User agent, IP, URI path, country.

- Actions: Block, allow, challenge (CAPTCHA).

Common mistakes

- Blocking too aggressively (legitimate users use curl for debugging).

- Relying only on WAF (combine with rate limiting and auth).

- Not testing—verify legitimate traffic still works.

Quick checklist

- [ ] Add WAF rules for known bad user agents

- [ ] Consider blocking datacenter IPs for public APIs

- [ ] Combine with rate limiting

- [ ] Use managed rules for SQLi, XSS

- [ ] Test with legitimate traffic

Need help with production readiness? Get a free 30-minute audit.

Book Free 30-Min Production Audit

View our DevSecOps services

Check if your system has this risk

Take the 60-second production readiness assessment to identify gaps in your infrastructure.

Start Assessment

Frequently asked questions

What WAF rules should I use for API protection?: Block known bad user agents (scrapers, headless browsers). Consider blocking datacenter IPs. Use rate limiting. Add managed rules for SQLi and XSS.
Should I block datacenter IPs for my API?: It depends. If your API is for end-users only, blocking datacenter IPs can reduce abuse. If your API is for servers (e.g., B2B), you'll need to allow them.
What is the difference between WAF and rate limiting?: WAF blocks based on request characteristics (user agent, IP, pattern). Rate limiting caps request volume. Use both for defense in depth.