--- title: Web Application Firewall (WAF) eleventyNavigation: key: WAF parent: Customizing order: 7 --- A [WAF](https://en.wikipedia.org/wiki/Web_application_firewall) examines every HTTP request to protect the web applications from the various attack vehicles to minimize infections. It may allow them to transit to the application or block them, alert, record whether they are deemed malevolent. ![Path of an HTTP request faced with a WAF](images/waf.png) alwaysdata uses WAF ModSecurity and all of the [OWASP Modsecurity Core Rule Set](https://coreruleset.org/) (CRS). ## Configure the Web Application Firewall Use the administration interface from **Web > Sites > Edit the [site] - ⚙️ > WAF**. ![](images/admin-panel_add-site-waf.png) ### Available profiles |Profile|Description| |--- |--- | |None|(by default)| |Basic|Strict compliance with the HTTP protocol| ||Malicious robot detection| |Strong|All of the basic profile rules| ||Remote Code Execution (RCE) detection| ||[Cross-Site Scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) type attack detection| ||[SQL injection](https://en.wikipedia.org/wiki/SQL_injection) detection| |Complete|All of the strong profile rules| ||PHP language related attack detection| ||Local File Inclusion (LFI) attack detection| ||[Remote File Inclusion (RFI)](https://en.wikipedia.org/wiki/File_inclusion_vulnerability) attack detection| |WordPress|All of the complete profile rules| ||WordPress specific rules| |Drupal|All of the complete profile rules| ||Drupal specific rules| |Nextcloud|All of the complete profile rules| ||Nextcloud specific rules| |Dokuwiki|All of the complete profile rules| ||Dokuwiki specific rules| > [!NOTE] > Activating a protection profile will result in a slight increase in latency when processing an HTTP request. This latency, that represents a few milliseconds, increases with the degree of protection. ### Excluding rules Depending on your usage case, **the way WAF behaves may be too restrictive**. It may also generate **false positives** during its analysis. If you consider its behavior unsuitable, then you have the option of excluding some of the rules used during the analysis. Only specify the **number of the rule to exclude**. You will find this in the Sites logs (`/home/[account]/admin/logs/sites`). Example: ``` [08/Jan/2019:11:09:19 +0100] [waf] - "GET /?param=%22> HTTP/1.1" - 941100 | XSS Attack Detected via libinjection' with value: "> [08/Jan/2019:11:09:19 +0100] [waf] - "GET /?param=%22> HTTP/1.1" - 941110 | XSS Filter - Category 1: Script Tag Vector' with value: HTTP/1.1" - 941160 | NoScript XSS InjectionChecker: HTML Injection' with value: