Advanced WAF: Protecting your website without generating false positives

In cybersecurity, things are no longer just black and white. Traditional WAFs functioned like a nightclub bouncer: “If you’re wearing sneakers, you’re not coming in.” However, the new generation of threats is much more subtle. Attackers don’t always “wear sneakers”; sometimes, they simply exhibit suspicious behavior as a whole.Blocking every minor suspicion can expel legitimate customers, creating the dreaded false positives. This is where the implementation of an Advanced WAF comes into play. In this post, we explain how this model intelligently scores web traffic, allowing for much more precise and flexible protection.

The WAF scoring system

Unlike conventional WAFs that block a request as soon as it matches a single rule, new models work through a scoring system based on international standards (OWASP).

Every time a request reaches your site, the WAF analyzes it for suspicious patterns (strange characters, SQL injection attempts, malformed headers, etc.). Instead of blocking it immediately, each anomaly adds points to a score.

Imagine a request with a risk score:

• Contains a semicolon (;) in the URL: +2 points.
• The User-Agent is unusual: +2 points.
• Contains the word SELECT: +3 points.

If your security threshold is set at 5 points, this request will be blocked because its total is 7. However, if a legitimate user simply enters a strange character by mistake (+2 points), they will be able to browse without any issues.

Although this scoring system happens internally within the WAF engine, understanding it is key to correctly configuring your security level in Transparent Edge.

Why is it vital for your business?

These systems offer a key competitive advantage by drastically reducing false positives, preventing minor errors from legitimate users from triggering accidental blocks. Their ability to detect combined attacks allows them to identify subtle threats that seem harmless individually but reveal malicious intent when their risks are summed up all under fully customizable thresholds. This allows you to adjust severity based on business needs, such as prioritizing sales during Black Friday or hardening an admin panel with zero tolerance.

Advanced WAF sensitivity levels

In Transparent Edge, this system is managed through the WAF sensitivity level. As a client, you have total control over the severity levels:

• Critical: obvious attacks (SQL injections, RCE). These add the highest score.
• Error: protocol errors that usually indicate automated attack tools.
• Warning: unusual behaviors that are not necessarily malicious on their own.

How to activate the advanced WAF

Implementation is simple and is done directly via VCL configuration from the control panel. To activate it on your domain, simply deploy a configuration similar to this:

# WAF avanzado
sub vcl_recv {
    if (req.http.host == "www.mi-dominio.es") {
        set req.http.TCDN-WAF-Enabled = "true";
    }
}

Three recommendations to reduce false positives

To ensure your security strategy is effective and does not interfere with your business operations, we suggest following these three key steps:

1. Adopt a “trial and error” approach: before activating WAF blocking, use the (#DetectionOnly) mode (#DetectionOnly). This allows you to see in real-time which requests would be blocked by the WAF without actually interrupting traffic. It is the best way to train your configuration and ensure rules are appropriate for your traffic before switching to active protection mode (#On).
2. Apply precision surgery with exceptions: don’t make the mistake of disabling the WAF if you find a problem in a specific section of your website. The power of Transparent Edge lies in the ability to create very specific exceptions. If a specific rule clashes with a legitimate functionality (like a complex form or an admin panel), you can tell the system to ignore only that rule for that specific URL, keeping the rest of your infrastructure protected.
3. Turn incidents into learning: if you detect that a legitimate user has been blocked by mistake, use our False Positive Report to identify the specific ruleID that causedthe incident. This information allows you to understand which pattern triggered the alarm and apply an exception where necessary.

All technical details, parameters, and specific syntax for these configurations are available in our technical documentation.

Balance between protection and accessibility

In short, modern WAF protection systems must be flexible and precise enough to allow you to control who can access your website and who cannot.

Contact our security experts if you want to find the right sensitivity level for your site. We will help you configure a custom WAF that keeps attackers at bay without hindering your customers.