ESA WAF offers four mitigation strategies of increasing complexity. Choose the right approach for your website, from one-click AI-powered rate limiting to fully custom rules.
Mitigation policies
The following table compares the four policies by use case, complexity, and key benefits. Start with the policy that matches your current needs. You can always layer additional policies as your requirements grow.
Policy | Use cases | Complexity | Key benefits |
Smart rate limiting | Individual developers and new, small-scale websites | Very Low | One-click, AI-powered protection with zero configuration. |
Create rules from security analytics | For proactively identifying and mitigating potential threats on stable websites. | Low | Data-driven insights to pinpoint and quickly respond to anomalous traffic. |
Create rules from a rule template | For combatting common attacks or addressing specific, general protection needs. | Medium | Pre-built templates cover common scenarios for efficient deployment. |
Create custom rules | For complex or unique security needs that require fine-grained control. | High | Offers the flexibility to meet complex protection requirement. |
Policy 1: Smart rate limiting
This is the simplest and fastest way to get started, especially for users new to web security.
The smart rate limiting feature uses ESA's AI engine to automate rate limiting. You only need to enable the feature and select a protection level. The system learns a baseline from your website's past seven days of traffic data and automatically blocks requests that exceed normal frequency patterns. No manual rule configuration is required. This effectively protects against CC attacks (resource exhaustion) and malicious crawlers.
Use cases
Individual developers or startups: Low-traffic websites that need basic CC attack protection with minimal setup.
Security beginners: For users unfamiliar with WAF who need a simple, one-click solution.
Before you begin
Activation time: The feature takes effect about 10 seconds after you enable it.
Block duration: The system blocks IP addresses that trigger rate limiting for approximately 24 hours.
Handling false positives: If a legitimate IP address is blocked, add it to a whitelist under WAF > Whitelist Rules.
Steps
In the ESA console, select Websites. In the Website column, click the target website.
In the left-side navigation pane, select .
On the Overview tab, find the Smart Rate Limiting section and click Configure. Turn on the Status switch, then configure the Protection Level and Action. We recommend setting the Protection Level to Medium and the Action to Block.
Refer to the descriptions of protection levels and actions.
Policy 2: Security analytics
You may want to monitor traffic more proactively and respond to potential threats.
ESA provides Security Analytics and Events dashboards where you can inspect every request by IP address, path, and User-Agent. When you spot anomalous traffic, you can create a WAF rule directly from the dashboard with a single click. For example, you can:
Block an IP address that is sending repeated malicious requests.
Block a crawler disguised as a browser, identified by its User-Agent string.
Use cases
Growing websites: Monitor increasing website traffic to detect anomalies early.
Proactive security operations: Detect and stop suspicious behavior, such as rapid directory scanning, before it escalates into a full attack.
Note
Data in the Security Analytics and Events dashboards has a latency of approximately 5 minutes.
Steps
-
On the Security Analytics page, to the right of the filters, click
Create rule from filter conditions.NoteOn the Request Analytics tab of the Overview module, you can select Create Custom WAF Rule from Filters. On the Bot Analytics tab of the Overview module, you can select Create Bot Management Rule from Filters. On the Rate Limiting Analytics tab of the Overview module, you can select Create WAF Rate Limiting Rule from Filters.
-
On the new rule page, enter a Rule Name, select an action, and click OK. The rule takes effect immediately.
Policy 3: Rule templates
Using a rule template to combat common, known attack types.
ESA provides pre-configured rule templates based on real-world attack data, covering scenarios like blocking empty-Referer requests, protecting backend login pages from brute-force attacks, and allowlisting specific IPs. Select a template, fill in the required parameters (such as your backend login URL), and the rule is deployed immediately.
Use cases
Common attacks: Your website is experiencing password brute-forcing, SQL injection, or similar known attack types.
Clear protection goals: You know exactly what you need, such as "allow only search engine crawlers".
Note
Read each template's description carefully before use. Misconfigured parameters may block legitimate traffic.
Steps
In the ESA console, select Websites. In the Website column, click the target website.
In the left-side navigation pane, select .
On the Overview tab, select a Rule Template that fits your current scenario, and then click Create.
On the rule creation page, fill in the template parameters as needed, and then click OK. The rule takes effect immediately.
Policy 4: Custom rules
When the preceding policies cannot meet your needs, use WAF Configuration Rules for fully customized protection.
Custom rules let you build match conditions by combining request attributes such as IP address, URL path, headers, cookies, and body content. You then assign an action: block, observe, or allow. This gives you full control over how traffic is filtered and handled.
Use cases
Advanced security operations: You need fine-grained, multi-condition protection logic built by experienced security engineers.
Special business scenarios: Your application has unique logic that requires tightly integrated rules, such as allowing only users with a specific cookie to access an API.
Responding to complex attacks: You face advanced persistent threats (APTs) where attackers constantly change methods, requiring flexible and adaptive rules.
Example
This example creates a rate limiting rule: if a single IP address sends more than 20 requests to www.example.com and image.example.com within 10 seconds, all subsequent requests from that IP are challenged with a slider CAPTCHA for 1 minute.
Only Pro and higher plans support the configuration of rate limiting rules.
In the ESA console, go to Site Management. In the Actions column of the target site, click
> WAF.In the navigation pane on the left, choose .
On the WAF page, select the Rate Limiting Rules tab, click Create Rule, and enter the required information for the rule.
Enter a Rule Name.
If requests match...: Specifies the conditions that requests must meet. For more information about match fields, see Components of a rule expression. In this example, set Match Type to Hostname, set Operator to is one of, and enter
www.example.comandimage.example.comfor Value.Apply to Cache: Rate limiting controls the number of client requests based on a specific feature to reduce the load on your origin server. However, requests that hit the cache are served directly by ESA and do not add load to your origin server. If you do not want to apply rate limiting to these cached requests, clear this checkbox.
With the same characteristics...: Further filters requests that meet the match conditions.
When the rate exceeds...: Specifies the maximum number of requests allowed within the specified time period.
NoteIf you set the action to Apply to Matched Requests, the action duration equals the statistical period.
WAF counts a request only after the full response is sent. Therefore, for requests to download large files, the blocking action may be delayed because of the long download time.
Then execute...: The action to perform when the request rate reaches the limit. You can apply the action to only requests that exceed the limit, or to all subsequent matching requests. For more information, see Action descriptions.