RebelMouse Talk to Us
Understanding AWS’s Web Application Firewall for Server Protection

Understanding AWS’s Web Application Firewall for Server Protection

Amazon Web Services's (AWS) Web Application Firewall (WAF) is a firewall that helps protect your web applications (or APIs) against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives RebelMouse developers control over how traffic reaches our applications by enabling us to create security rules that block common attack patterns, such as SQL injections or cross-site scripting (XSS), and rules that filter out specific traffic patterns we have defined. These rules are regularly updated when new issues emerge as well.

With AWS WAF, we're making sure that all our sites are covered against some of the most common attacks, as defined by The Open Web Application Security Project (OWASP). The project is an online community that creates freely available articles, methodologies, documentation, tools, and technologies in the field of web application security.

Possible Common Attacks

Injections: Injection flaws allow attackers to relay malicious code through an application to another system. These attacks include calls to the operating system via system calls, the use of external programs via shell commands, as well as calls to back-end databases via SQL (e.g., SQL injection). Whole scripts written in Perl, Python, and other languages can be injected into poorly designed applications and executed. Any time an application uses an interpreter of any type, there is a danger of introducing an injection vulnerability.

For example, if somebody tries to inject some JavaScript into your site, we can block this automatically to avoid the insert.

Protection for Cross-Site Scripting: Cross-site scripting flaws occur when web applications include user-provided data in webpages that are sent to the browser without proper sanitization. If the data isn't properly validated or escaped, an attacker can use these vectors to embed scripts, inline frames (iframes), or other objects into the rendered page. These, in turn, can be used for a variety of malicious purposes, including stealing user credentials by using keyloggers, to install system malware. The impact of the attack is magnified if that user data persists server side in a data store, and then is delivered to a large set of other users.

Consider the example of a common, but popular, blog that accepts user comments. If user comments aren't correctly sanitized, a malicious user can embed a malicious script in the comments, such as:

The code then gets executed anytime a legitimate user loads that blog article.

Broken Access Control: This category of application flaw covers the lack of, or improper enforcement of, restrictions on what authenticated users are allowed to do. AWS WAF can filter dangerous HTTP request patterns that can indicate path traversal attempts, or remote and local file inclusion (RFI/LFI). AWS WAF validates if HTTP request components contain ../ or ://.

This helps us avoid malicious attackers exploiting vulnerabilities, including when a user can access some resource or perform some action that they are not supposed to be able to access.

How AWS WAF Protects Our Servers From Attacks

Insufficient Attack Protection: AWS WAF enforces a level of hygiene for inbound HTTP requests. Size constraint conditions help to build rules that ensure that components of HTTP requests fall within specifically defined ranges. We can use these rules to avoid processing abnormal requests. An example is to limit the size of URIs or query strings to values that make sense to our application.

In our case, we're limiting the URI and QUERY_STRING bytes.

Using Components With Known Vulnerabilities: AWS WAF filters and blocks HTTP requests to the functionality of components that are not in use in applications. This helps reduce the attack surface of those components if vulnerabilities are discovered in functionality you're not using.

AWS WAF matches URIs to filenames that end with:

  • .cfg
  • .conf
  • .config
  • .ini
  • .log
  • .bak
  • .backup

The HTTP request component:

  • URI

We're setting up a mechanism to mitigate known vulnerabilities in components that addresses the lifecycle of such components. We identify and track the dependencies of our application, as well as the dependencies of the underlying components. This way, we can monitor the processes in place to track the security of these components.

Robots.txt Crawl-Delay Directive: Aside from the AWS WAF protection mechanisms, we have also included a directive into our default robots.txt files called crawl-delay.

The crawl-delay directive is meant to communicate to crawlers to slow down crawling in order to not overload the web server. On our pages, we have it set to 0.1 seconds. This is the default setting for our robots.txt file. Clients can override the crawl-delay directive in our Layout & Design Tool, and if you have already made manual changes to your file previously, we recommend that you check and add this manually. You can also modify the crawl-delay for you.

Overall, this server protection allows us to automatically block repeated requests to our sites so that we can identify malicious attacks and block them right away. Based on what code is returned, you will be able to tell why the requests were blocked:

  • 429: Too many requests have been made.
  • 406: The status code for OWASP risks.
    • The response message will contain a code that matches a specific type of vulnerability. We use another set of codes to hide our protection logic from public users, but are able to share with you what each one means as needed. The following screenshot shows how this looks:

If you have any questions, please reach out to your account manager or email us at, and we'll help you solve your particular use case.

Why RebelMouse Is the Best Content Marketing Platform

RebelMouse is a unique platform and company. The company was founded on the vision that media companies would need an always-modern solution to thrive in the new connected internet, and that brands would have to behave like new media companies and use the same platforms.

Keep reading... Show less

Why Premium Creative Agencies and CTOs Choose to Develop on RebelMouse vs. WordPress and Drupal

The Intersection of Design and Development: Where Your Clients Thrive

We started RebelMouse seven years ago knowing that there was a fundamental design flaw in the world of traditional CMSs: Every instance, on every platform, had to be updated independently. It's similar to an era when users had to manage their own Microsoft Exchange Server for email. The costs of managing, maintaining, and iterating on a CMS to keep it awesome and world class is typically a $10 million-a-year endeavor. But even then, these cost-prohibitive CMSs are still behind the times.

Keep reading... Show less

Native Multivariate Testing at Scale With RebelMouse

What Differentiates Our Approach

There are many popular tools that allow you to perform experiments and A/B tests on your users — primarily Google Chrome Experiments and Optimizely. But all of these solutions are JavaScript additions to your web page that sidestep the problem of old, outdated, and clumsy CMSs. These solutions work by calling on a third-party JavaScript library that rewrites a page after it's rendered. This approach adds extra page weight and creates strange user experiences due to having to wait for everything to load and be rewritten on the fly.

At RebelMouse, we've solved this in a very elegant way. At the core level of our platform, we can natively render different layouts and track the exact differences in performance when comparing a test to your other layouts.

Keep reading... Show less

Modern E-Commerce: Blur the Line Between Content and Design

Create Modular + Reusable Design Patterns on RebelMouse

Content saturation is an industry-wide problem, and the e-commerce space is no exception given that it's filled with big brands, small Etsy stores, and everyone in between all fighting for similar audiences. The best way to fight this symptom is to understand your audience and provide them with what they want.

Keep reading... Show less

Instagram-style E-commerce Features on RebelMouse

Revolutionizing e-commerce on RebelMouse

Whether you're a brand with a blog or a media company with a site, driving purchasing behavior and building an audience that uses your content to find things they love to buy is vital. We're very proud to have built out the same functionality that everyone is now used to on Instagram, with layovers on images that lead to products with attribution.

Keep reading... Show less

Building Premium Communities and User Journeys on RebelMouse

RebelMouse is much more than just a replacement for a traditional CMS. Our platform is a tremendous community-building experience. Today's social ecosystem has given us a seemingly limitless number of premium creators who understand how to create gorgeous and relevant content that drives the growth of their own audiences. These creators and influencers are either experts in certain topics, or heavily engaged in targeted content that drives their interests. They're not only consuming the content they're passionate about, but they're contributing to the conversation, too. The new role of the editor is not just to cover the most important topics and people around their expertise, but also to invite those preferred influencers into their community and get them to participate in creating premium content.

Keep reading... Show less

Dynamic Voting: Grow Traffic and Engagement Organically

Help your audience find its voice.

Creating quality content is no longer on marketers alone. We live in a universe of creators who are willing to not only consume content that resonates, but play a role in the creation, promotion, and conversations surrounding it.

Since the start of RebelMouse, we've been on a journey to create dynamic media that is easier for content creators to curate and amplify on social. It's why we've built an online engagement platform centered around the power of communities that thrive naturally in the digital ecosystem.

Keep reading... Show less

How to Monetize Your Website in Today’s Publishing Environment

In order to define distributive publishing, we have to ask the following question: If you have quality content, but nobody sees it, does it even exist? The answer is no, because your content needs to be supported in a way that lets it move seamlessly across all channels, especially site, search, and social. But let's take this question a step further: If you can't monetize your content to generate the support it needs, how do you create quality content in the first place?

Keep reading... Show less

RebelMouse Q3 2021 Platform Performance Updates

For many publishers and brands, Q3 2021 was about recovering web traffic lost to Google's page experience signals update that was rolled out over the summer. For us, the quarter was about continuing our success of delivering excellent Core Web Vitals metrics across our site network with platform performance updates both big and small.

As a globally distributed team, it's important for us to remain transparent about how we're able to power some of the best-performing sites on the open web. And while we're already looking forward to closing out the year stronger than ever before, here's a detailed look back at our accomplishments in Q3 2021.

We invested 1,946 hours into our platform in Q3 2021 alone, and all of the sites on our platform benefited from the work in various ways. Here are the key areas that we focused on:

  • 184 hours were spent on delivering new features
  • 1,010 hours were spent on improving existing features
  • 752 hours were spent on performance and infrastructure updates
Keep reading... Show less

RebelMouse Clients See Performance Improvement After AMP Optimization

Performance is a major pillar of our platform, which means we are always making changes — both big and small — to improve page speed. Our focus on fast websites isn't platform specific, either. We want to make sure that users have a top-notch experience however they view your content, and this includes our integration with Google's AMP format.

Our team of traffic-obsessed developers recently implemented some performance optimizations to enhance our platform's integration with AMP, and that has improved the average response time for our clients. This means that users are able to access your AMP pages more quickly, which, in turn, improves your site's traffic from Google.

Here's a breakdown of the changes we've made:

Keep reading... Show less

Keep Search a Priority With SEO-Friendly Image Filenames

There are a lot of factors that go into a successful search engine optimization (SEO) strategy, including performance, structured data, and, of course, choosing the right keyword(s). Our proprietary search technology helps content creators prep every article for success on search. This all-encompassing approach includes the use of SEO-friendly image filenames.

On RebelMouse, if you assign an alt tag to an image in Entry Editor, that alt tag will also become the image's file name. Briefly, alt tags describe images for search engines, and also allow people using screen readers to know what the image is without actually being able to see it. Adding your desired search phase to every alt text field, and in turn every image file name, will reinforce its relevance to Google's crawler, bringing you one step closer to the top of search returns.

Keep reading... Show less
Subscribe to Our Newsletter