Skip to content

Configure the WAF and manage rules

Shield's Web Application Firewall (WAF) inspects incoming requests to your site and blocks, challenges, or logs traffic that matches known attack patterns. This guide covers turning the WAF on, choosing how strictly it runs, tuning the built-in Managed Rules, and creating your own Custom Rules — all from the site dashboard.

Before you start

  • A site with Shield included in its plan. If Shield isn't part of your plan, the Shield pages show a "not included in your plan" card instead of the controls below.
  • Shield must be activated for the site. If it hasn't been, the WAF page shows a "Shield isn't active for this site" message with an Activate Shield button — activate it first.
  • A few controls are limited to the premium Shield tier (called out inline below): Realtime Threat Intelligence and creating Custom Rules.

Open the WAF page

  1. Open your site, then in the left sidebar choose Shield.

  2. Select the WAF tab. Shield's sub-navigation runs across the top: Overview, WAF, Bot Detection, Rate Limits, Access Lists, and Security Events. Choose WAF.

The WAF page is organized into setting cards (WAF Settings, Rule sensitivity, Protocols) at the top, and a card below them with two tabs: Managed Rules and Custom Rules.

Turn the WAF on and choose a mode

In the WAF Settings card:

  1. Toggle WAF enabled to switch the firewall on or off for this site.

  2. Pick an Execution mode. This is a two-option control:

    • Log only — records rule matches without blocking any traffic.
    • Block — actively drops matching requests.

    Tip

    Start in Log only, watch the Security Events log to see what would be blocked, and switch to Block once you're confident the rules aren't catching legitimate traffic.

  3. Set the body-limit actions (optional). Request body limit action and Response body limit action each let you choose Block, Log, or Ignore for requests/responses whose body exceeds the inspection limit.

  4. Choose what to log (optional). Log request headers and Log request body are independent toggles that add that data to matched-request records.

  5. Exclude specific headers (optional). Under Excluded request headers, type a header name and press Enter or comma (or click Add) to add it as a chip. Listed headers are skipped during WAF inspection.

  6. Realtime Threat Intelligence (premium). When available, toggle it on to automatically block known malicious IPs and request patterns. On non-premium plans this toggle is disabled and labeled Available on the Premium Shield plan.

  7. Click Save settings.

Tune rule sensitivity

The Rule sensitivity card controls how aggressively the WAF flags requests. Choose a preset card — Low, Medium, High, or Extreme — or pick Custom to set the Detection level, Blocking level, and Execution level independently (each on a 1–4 scale). Medium is the recommended starting point. Click Save sensitivity when done.

Warning

Higher sensitivity (especially Extreme) increases false positives. Tune in Log only mode before running it in Block mode.

Restrict protocols

The Protocols card lets you select which HTTP versions, methods, and request content types your application accepts. Click the chips to toggle each option; at least one option must stay selected in each group. Click Save protocols to apply.

Tune the Managed Rules

Managed Rules are SuperSpace's curated WAF rule groups. You don't write these — you decide how each one behaves.

  1. Open the Managed Rules tab in the lower card. The rule groups load and appear as expandable sections; each section shows how many of its rules are active.

  2. Filter if needed. Use the Filter rules by name… box to narrow the list.

  3. Set a state per rule. Expand a group and use the per-rule control to choose one of three states:

    • Active — the rule blocks (or challenges) matching requests normally.
    • Log only — the rule records matches but doesn't block.
    • Disabled — the rule is turned off entirely.

  4. Click Save rule overrides. Changes apply to the whole ruleset in one request.

Tip

If a managed rule is blocking legitimate traffic, set it to Log only rather than Disabled so you keep visibility into what it would catch.

Create a custom rule

Custom Rules let you block, challenge, log, allow, or bypass requests that match conditions you define.

Premium feature

Creating new custom rules requires the premium Shield tier. On a non-premium plan, existing custom rules still list and remain editable/deletable, but the + New custom rule button is replaced with an upgrade link.

  1. Open the Custom Rules tab in the lower card.

  2. Click + New custom rule.

  3. Fill in the rule:

    • Rule name (required) — e.g. Block bad bots.
    • Description (optional) — what the rule protects against.
    • ActionBlock, Log, Challenge, Allow, or Bypass. Block drops the request; Challenge presents a browser verification; Log records without blocking; Allow bypasses other WAF rules; Bypass skips all WAF processing.

  4. Define the Condition:

    • Match on — the request attribute to inspect (e.g. REQUEST_URI, REQUEST_HEADERS, REMOTE_ADDR, QUERY_STRING, REQUEST_BODY).
    • Sub-selector — for REQUEST_HEADERS, the header name (e.g. User-Agent); leave blank for variables that have no sub-selector.
    • Operator — how to compare, such as Contains, Equals (exact), Begins with, Ends with, Regex, Detect SQLi, or Detect XSS.
    • Value — the string to compare against (e.g. bad-bot-agent).
    • SeverityNotice, Warning, or Critical.

  5. Click Save rule. The rule appears in the Custom Rules table, where you can later Edit or Delete it. Deleting prompts a confirmation.

The same operations are available over the REST API. Create a custom rule with:

curl -X POST \
  -H "Authorization: Bearer $SUPERSPACE_TOKEN" \
  -H "X-Auth-Account: $ACCOUNT_ID" \
  -H "Content-Type: application/json" \
  -d '{
    "rule_name": "Block bad bots",
    "rule_configuration": {
      "action_type": 1,
      "variable_type": "REQUEST_HEADERS",
      "variable_subselector": "User-Agent",
      "operator_type": 2,
      "severity_type": 1,
      "value": "bad-bot-agent"
    }
  }' \
  https://control.superspace.nl/api/sites/$SITE_ID/shield/waf_custom_rules

action_type: 1=Block, 2=Log, 3=Challenge, 4=Allow, 5=Bypass. severity_type: 0=Notice, 1=Warning, 2=Critical. See Shield API for the full WAF, managed-rule, and custom-rule endpoints.

Next steps