Menu
Feedback
Start here
Tutorials
Developer portal
Known Issues
Support Rules
Troubleshooting
Frequently Asked Questions
Announcements
Tutorials
Operational
Apps
Beta
B2B
Intelligent Search
Conversational Commerce
Master Data
Store Settings
Security
Dashboards
Storefront
Shipping
Account management
Unified Commerce
Billing
Orders
Authentication
Integrations
Sellers
Promotions & taxes
Trade policies
Catalog
Message center
Other
Infrastructure
Omnichannel
Checkout
Subscriptions
VTEX Tracking
Payments
Prices
Tutorials
Explore in-depth tutorials for operating your VTEX store.
Tutorials
Security
VTEX Shield
Web Application Firewall (WAF)
Web Application Firewall (WAF)

This feature is part of VTEX Shield. If you are already a VTEX customer and want to adopt VTEX Shield for your business, please contact Commercial Support. Additional fees may apply. If you are not yet a customer but are interested in this solution, please complete our contact form.

The Web Application Firewall (WAF) is a security layer designed to protect web applications by monitoring and filtering internet traffic.

The WAF is aimed at HTTP (Hypertext Transfer Protocol) and HTTPS (HTTP Secure) communications, scanning inbound and outbound data to detect and block possible threats.

{"base64":" ","img":{"width":1890,"height":704,"type":"png","mime":"image/png","wUnits":"px","hUnits":"px","length":61969,"url":"https://raw.githubusercontent.com/vtexdocs/help-center-content/refs/heads/main/docs/en/tutorials/Security/VTEX%20Shield/web-application-firewall-waf_1.png"}}

The WAF's operation begins with the VTEX Security team defining security rules based on the analysis of information flow patterns. Based on these rules, the WAF continuously monitors web traffic. When it detects potentially harmful activity, it can block the traffic, thus preventing vulnerabilities in the web application.

Security rules

Stores using VTEX Shield and choosing the WAF have the following security rules against threats:

ThreatSecurity rule
Remote File Inclusions (RFI)Detects attempts to include files, usually via scripts on the web server.
Directory TraversalVerifies and validates file names provided by users, preventing unauthorized access to sensitive files and folders.
Cross-Site Scripting (XSS)Prevents the injection of client-side scripts into the pages viewed by visitors.
File uploadDetects attempts to upload files to the web server.
Evasion techniquesProtects against some coding techniques used to bypass protection mechanisms.
Unwanted accessDetects attempts to access admin or vulnerable pages, bots, and security scanning tools.
Identified attacksPrevents many common attacks and known vulnerabilities that must be blocked.
IP filterChecks a list of IP addresses to view their access permissions or blocks.
Tor network blockingPrevents access to the site using the Tor browser.

Requesting WAF activation

To request WAF activation for your store, please contact VTEX Support. Include the following information in the ticket:

  • URLs to be added to the WAF.
  • Name and contact information of the point of contact with the VTEX Security team during the activation process.
  • Provider: To access the WAF, all store URL traffic must go through the provider currently used by VTEX. If that's not the case, a procedure must be followed with the VTEX Traffic team, which can take between 1 and 2 weeks.

After submitting the request, the deadline for activating the WAF on the store URLs is 4 weeks, plus the period needed to migrate to the provider, if applicable.

Learn more

Contributors
2
Photo of the contributor
Photo of the contributor
+ 2 contributors
Was this helpful?
Yes
No
Suggest Edits (GitHub)
Introduction to VTEX
Next »
Contributors
2
Photo of the contributor
Photo of the contributor
+ 2 contributors
On this page
Still got questions?
Ask the community
Find solutions and share ideas in the VTEX community.
Join our community
Request support from VTEX
For personalized assistance, contact our experts.
Open a support ticket
GithubDeveloper portalCommunityFeedback