Fastly’s massive globally distributed network provides rapid protection against web application vulnerabilities, DDoS, and botnet attacks. Enforce security rules at the edge with real-time insights into suspicious traffic and the ability to update your configuration in milliseconds.
Fastly’s web application firewall protects your applications from malicious attacks designed to compromise web servers. Built on our powerful edge cloud platform, it protects against injection attacks, cross site scripting, HTTP protocol violations, and more. Our WAF is continuously updated to address ongoing threats using multiple rulesets. Rules can be configured in real time via our API, and can run in active blocking mode or passive logging mode only.
Fastly’s cloud-based WAF consumes third-party rules from the OWASP Core Ruleset, commercial sources, and open source, in addition to Fastly-generated rules. Customers are protected from key application-layer attacks, such as injection attacks and malicious inputs, cross site scripting, data exfiltration, HTTP protocol violations, and other OWASP Top 10 threats. Fastly WAF rules are instantly configurable so you can respond to threats as they arise.
Fastly’s WAF provides global protection without any significant performance impact because it’s fully integrated into our Varnish-based edge cloud platform. Using a set of pre-built rules, we only run WAF detection logic on requests that cannot be served from cache, saving valuable milliseconds in detecting attacks aimed at the origin server. Integration with our edge cloud platform also ensures support for IPv6 and HTTP/2.
Third-party CMS platforms are increasingly becoming the target for application-layer attacks. Having the ability to virtually patch these platforms allows you to protect your applications until you roll out software updates. Fastly’s WAF is tightly integrated into our cache nodes, allowing us to detect your website’s application stack. We can apply pre-defined rulesets to protect against known vulnerabilities in popular tools like Drupal and WordPress. You can also quickly add, remove or change WAF-based rules for these platforms.
Built on our powerful edge cloud platform, Fastly’s WAF gives you access to 100% of your security events and notifications within seconds from the edge. You can quickly identify potential application layer threats and make instant configuration changes to your WAF rules from within our service. Real-time log streaming also gives you immediate visibility into attack mitigation efforts.
Fastly’s high-bandwidth, globally distributed network is built to absorb DDoS attacks. Our entire network acts as a DDoS scrubbing center, so you don’t sacrifice performance for protection. We protect against highly disruptive attacks across our infrastructure and through optimized software. We allow you to respond in real time, filtering malicious requests at the network edge before they get near your origin.
Fastly sees all bidirectional traffic (encrypted and unencrypted) between browsers and your web server and automatically filters all non-HTTP / HTTPS traffic at our global nodes, blocking highly disruptive Layer 3 and Layer 4 attacks. We protect against Ping floods, ICMP floods, reflection / amplification attacks, transaction floods, resource exhaustion, and UDP abuse.
Fastly’s edge cache nodes act as enforcement points. Using VCL, we apply rules to protect your network from complex Layer 7 attacks. We inspect the entire HTTP / HTTPS requests, and block based on client and request criteria, like headers, cookies, request path, and client IP, or indicators like geolocation.
Fastly’s edge cloud platform gives you the flexibility to keep up with rapidly changing attacker methods. Our real-time streaming logs help you monitor site performance and quickly identify anomalies like traffic spikes and instability. Our service is highly configurable; if you identify signs of a potential DDoS attack, you can use our configuration control panel or upload custom VCL to block certain URLs, client types, geographies, or types of requests. We also keep a history of previous configurations so you can quickly roll back changes if needed.
Sophisticated attackers use tools like Cloudpiercer to uncover the IP address of origin servers. This allows them to direct attack traffic at these exposed origin servers, bypassing a traditional CDN’s protection capabilities. Fastly’s Origin Cloaking prevents these kinds of attacks by hiding your origin from attackers. Using private network interconnections, we connect directly with your origin server, hiding the IP address from the public internet — forcing all attack traffic through our network where we apply DDoS mitigation rules.
Choose one of our two options as an add-on to your Fastly service: both plans provide layer 7 DDoS mitigation support of HTTP (port 80) and HTTPS (port 443, TLS) with unlimited overage protection.
DDoS Protection and Mitigation Service: our 12-month service helps you minimize risk with continuous, year-long protection.
DDoS Threat Response Service: use our month-to-month service to respond to immediate DDoS threats or for ongoing DDoS attacks.
Fastly has partnered with PerimeterX to offer powerful behavior-based bot detection and mitigation at the edge. We help prevent account takeover, scraping, digital fraud, and complex application-layer attacks. Our joint offering protects both cached and origin content, defending against bot abuse without impacting performance. This solution is easy to install, and can be up and running in a matter of hours.
Data collected is sent to the PerimeterX detector, where real-time algorithms are run to generate a trust score for user sessions. Fastly uses these trust scores to allow or deny access to your website, blocking suspected bot activity. You can also apply additional levels of control, such as further authentication or redirecting to a support page.
Leveraging Fastly’s edge cloud platform, PerimeterX has built a solution that combines their advanced behavior-based bot detection with our rapid mitigation capabilities at the network edge. Fastly’s multi-terabit-per-second network manages millions of simultaneous connections globally, allowing us to operate as a distributed filter to enforce bot policies. Our cache nodes perform real-time evaluation of PerimeterX trust scores for request-by-request edge enforcement.
The PerimeterX Bot Defender™ can identify highly sophisticated man-in-the-browser bots which use advanced browser automation tools or reside inside infected browsers to control users’ machines. These bots are detected by identifying suspicious user behavior patterns over time, such as repetitive, machine-like actions that are indicative of malicious bot activity. By offering advanced behavior-based detection, PerimeterX can identify more sophisticated application-layer bot traffic attacking specific functions like user logins or shopping carts.
Our joint offering protects both origin and edge traffic, so you can keep more in cache without the risk of bot abuse. Cache rapidly changing content like sports scores or stock prices at the network edge for faster delivery, without worrying about content or price scraping. With Fastly’s Instant Purge and surrogate key purging, you can also proactively manage this content, swapping out outdated information instantly.
Protecting customer identities and the integrity of your website requires strong encryption. Fastly supports Transport Layer Security (TLS), the next-generation encryption protocol. TLS connections between Fastly and your origin are encrypted and terminated at our network edge, closer to your customers. We’re optimized to handle heavy volumes of encrypted traffic without impacting performance. Fastly follows industry standards throughout our network, ensuring the safety of your users.
We believe that implementing the highest standard of TLS encryption across your website shouldn’t slow it down. As part of our standard service, you can terminate secure TLS connections at our network edge, closer to users, offloading encrypted traffic from your web server for better performance.
Since any internet-facing network is exposed to the same threats, we maintain one compliant, secure, high-performance network for all customer traffic. This ensures a single platform for unified inspection and enforcement of both encrypted and unencrypted traffic flows.
Fastly is a certified PCI DSS Level 1 service provider. The power of our edge cloud platform and fine-grained controls allows us to cache sensitive PCI or HIPAA-related content while maintaining compliance. Legacy CDNs are unable to cache this content and can only route it on separate, sub-optimal networks. Our Assurance Services provide additional support for customers handling data subject to audit requirements.
Traditional CDNs send sensitive data on a separate network with less capacity than their main network, or they pass it directly to the customer’s origin. Both approaches can cause slower response times, and bypassing the CDN altogether leads to extra load on the origin server.
Fastly’s entire network supports compliance across all our services. We speed up the caching and delivery of sensitive content at the edge, without splitting your traffic into separate networks to satisfy PCI DSS requirements or maintain good HIPAA security practices.
Fastly also provides event logs for user activity related to your service or account. When a change occurs, we capture who made that change and when it occurred and expose it via our API and web interface. Examples of logged events include failed logins, password updates, API key creation, and users added, updated, or deleted. You can also see when user accounts are locked or unlocked, and when two-factor authentication is enabled or disabled. Timely access to this log data improves monitoring and ensures your configuration settings are more secure.
Our Assurance Services provide additional support for customers handling sensitive data which may be subject to audit requirements. We offer access to our library of third-party audit reports and certification attestations in addition to security-related policies and procedures. Executive summary reports are available for annual risk assessments, penetration tests, and network scans. Subscribers to Assurance Services can also use professional service hours to conduct direct audits of Fastly’s security and technology compliance programs.
Reminder: No security solutions will detect or prevent all possible attacks or threats