WAF rules
The web application firewall inspects every request at the edge and blocks attacks before they reach your origin. This page covers the rule types and the safe way to roll them out.
Managed rules
Managed rules cover the common attack classes — SQL injection, cross-site scripting, path traversal, protocol violations — and are maintained by Optimi as threats evolve. They are the baseline for every property.
Custom rules
Custom rules match on any request attribute: path, method, headers, country, ASN, or bot score. Use them to protect application-specific endpoints, enforce allowlists on admin areas, or block abuse patterns unique to your traffic.
Rate limiting
Rate limiting rules count requests per client — by IP, session, or API token — and throttle or block clients that exceed a threshold. They absorb credential stuffing, scraping, and inventory hoarding without affecting legitimate users.
Start in monitoring mode
Every new rule can run in monitoring mode: matching requests are logged but never blocked. Watch the matches for a few days, tune out false positives, then switch to blocking. This is the safe path to a strict policy.
Reviewing blocked traffic
The my Optimi dashboard shows every blocked and monitored request with its matched rule. Review it weekly — a sudden spike in a single rule usually means an attack campaign or a false positive worth investigating.
