WAF Estimated reading: 2 minutes 70 views As part of our commitment to continually improving the security and reliability of our systems, we have successfully transitioned our Web Application Firewall (WAF) to Cloudflare. A Web Application Firewall is a critical security layer that protects web applications by filtering and monitoring HTTP traffic between the internet and our systems. It is specifically designed to detect and block a wide range of threats—including SQL injection, cross-site scripting (XSS), remote file inclusion, and other OWASP Top 10 vulnerabilities—before they can reach your data or affect application behavior. Our new Cloudflare WAF adds significant security enhancements, including: Real-time threat intelligence: Cloudflare continuously analyzes global traffic patterns to detect and stop malicious activity before it impacts us. Advanced DDoS protection: Built-in mitigation against large-scale distributed denial-of-service attacks ensures service continuity even under extreme conditions. Bot management and access control: The WAF helps prevent abuse from malicious bots while allowing legitimate traffic through. Automatic updates: Unlike static rule sets, Cloudflare’s WAF adapts dynamically to emerging threats, reducing the risk of zero-day vulnerabilities. Granular policy control: We are able to define and adjust custom rules tailored to our specific application needs, reducing false positives and maintaining performance. The move to Cloudflare not only improves security, but also contributes to reliable access to our services. On your end make you will need to make sure that inbound integration (to Cellosign) is made with DNS name and not IP. Until you will be able manage validation by DNS listed here are cloudflare IPs. We do encourage you to carry out transition to DNS as soon as possible as we cannot guarantee IP, we can only guarantee DNS names. If you have questions about how this may affect your integration or security posture, we’re here to help. Notes and Gotchas In case you are getting 403 (Forbidden) on API requests this is probably because “User-Agent” is missing from request header. Please make sure to add valid “User-Agent” to request. Valid value examples: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/125.0.0.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 13.5) Firefox/126.0 Next - Security Country-Based Access Restrictions for clients
