Prophaze AppSec Best Practices

Prophaze uses Application Profiling to determine the best configuration for your application once you onboard the domain in our dashboard. Hence only minimum intervention is required from the customer. Some configurations the customer can tweak are the following.

1. Active Mode

Once the domain is onboarded, WAF goes into an application profiling period where it learns the application, and web attacks are not blocked during this period, it is in detection mode only, this period is required by the WAF to learn the application and reduce the false-positives and to better protect against non-signature-based attacks. The WAF ensures that security breaches do not reach your server by keeping an eye out for them and blocking them while in active mode.

2. Bot Protection- This feature is turned off by default and can be activated when the application faces any bot attacks or suspects a DDOS

Prophaze offers two kinds of Bot Protection methods

• Captcha less challenge- It uses JavaScript to analyze user interactions, like mouse movements and device fingerprints, to distinguish humans from bots seamlessly, ensuring strong bot mitigation without interrupting user experience. Ideal for scenarios prioritizing seamless access, like e-commerce or content-heavy websites, without compromising security.

• Captcha Challenge- The Captcha Challenge verifies human identity by prompting users to solve a Captcha, preventing automated bots from accessing protected resources. It adds extra security, suitable for login processes or protecting sensitive data, ensuring strict access control and higher assurance of user authenticity in critical applications.

• Prophaze's Bot Mitigation feature includes a whitelist option, giving you more control over how it identifies and handles traffic. Here's what it means:

Bot Mitigation: This feature aims to identify and block automated bots that can harm your website in various ways, such as scraping content, launching Denial-of-Service (DoS) attacks, or attempting account takeovers.

Whitelist: This is a list of trusted sources (e.g., IP addresses or subnets) that Prophaze will not flag as bots. Traffic originating from these sources will bypass bot mitigation checks and be treated as normal user traffic.

3. Granular control over proxy settings

Within the settings page, users have the flexibility to adjust configurations such as endpoint, proxy-connect-timeout, proxy read timeout, client body size, and can customize HTTP headers and cipher suites according to their specific requirements.

Within the Settings Tab, navigate to "Configure Domains'' on the left-hand menu. This section displays all domains currently onboarded on the WAF. To adjust configuration settings for a specific domain, select the "Edit" button (depicted by a pencil symbol) corresponding to the desired domain. A new window will appear.

Below are the parameters that can be set on the newly appeared window-

Endpoint- Provide the IP address of the server hosting the application. This may also include the IP address of a load balancer or the load balancer itself responsible for serving the application.

Read Timeout- The read timeout, defined as the maximum wait time to receive a response from the application server, is set to 60 seconds for security compliance. It's recommended to increase this value when the application server experiences slow responses, handles long-running requests, transfers large data, or encounters unpredictable network conditions. This safeguards against premature connection termination, enhancing application reliability, stability, and user experience.

Connect Timeout- The connect timeout, defined as the maximum duration to establish a connection with the application server, defaults to 60 seconds for security compliance. Consider extending this duration when facing slow server responses, long-running requests, large data transfers, or unpredictable network conditions. This ensures stable connections, enhancing application reliability and user experience.

Client Body- Specifies the maximum allowable size of the client request body, is set to a default of 20MB. Increase when handling larger uploads to prevent request rejection due to size constraints, ensuring seamless data transmission.

HTTP Headers- Components of an HTTP request or response, conveying additional information such as authentication, caching directives, or content type. Common headers include "Authorization," "Content-Type," and "Cache-Control." Users can include custom headers for specific application requirements, enhancing communication and functionality.

Cipher suites- Sets of cryptographic algorithms used for securing network connections, including key exchange, encryption, and authentication. Activate advanced cipher suites to enhance security, particularly in high-risk environments or when strict encryption standards are mandated, ensuring robust protection against cyber threats.

4. Rate Limiting

Within the Custom WAF Policies tab, users have the capability to implement rate limiting for traffic based on various parameters including IP address, country, and Request URI, among others. Additionally, users can apply rate limits based on combinations of these specified parameters to finely tune traffic management.

1. False Positives

In the Built-in WAF policies tab, users can view the false positives.

False positives can be manually incorporated via the Attack Analytics Tab. When a legitimate request is mistakenly classified as an attack, users can locate it within the Attack Analytics tab and designate it as an exception.

6. Consolidated Dashboard

Unified View: Gain a comprehensive overview of your security posture across all your domains within a selected cluster. This powerful feature eliminates the need to switch between individual domains, saving you valuable time and effort.