Requirement
Websites must use a web firewall to filter malicious traffic from being accepted and processed.
Good configuration means:
- Use strong cryptographic cyphers.
- Set the HSTS (HTTP Strict Transport Security) response header.
- Earn a grade of A-B based on a scan at Qualys SSL Scan.
Note to applicants: Mitigate-5 Certifications expire at the end of each calendar year. Renewal is automatic and does not require a new application. Re-verification checks are done between November and December of each year
Note to applicants: If any aspect of this requirement is unclear, please contact us.
Why implement a web firewall
A Web Firewalls help to block numerous attacks towards websites by using a network of intelligence about global threats.
Mitigate-5 requires a web firewall for the following core reasons:
- Reduces risk - A WAF helps to reduce the risk of compromise because it filters malicious/suspicious traffic.
- Blocks known common attacks - Protects against various types of basic to advanced attacks. e.g. DoS/DDoS, Cross-site Scripting(XSS), Injection, malware and zero-day exploits.
- Blocks harmful content - Helps to block traffic that is suspicious even if not an already known form of attack.
- Virtually patches - Helps to block known exploits in vulnerable software where a patch has not yet been created by the vendor of the affected software.
There can be several options for implementing a web firewall on a corporate website depending on where the website is hosted. Unsure website owners should consult their internal technical team or hosting provider for compatible web firewall options.
Many web hosting companies have their own way to implement HTTPS on websites they host. They usually provide a helpful guide in their support are
Before implementing a web firewall:
- Understand the cost vs benefits of the different types of firewall implementations and choose one that is feasible based on risk. e.g. Cloud-based, On-Premise, Host-Based (e.g. custom written firewall rules like .htaccess and .apache.conf)
- Research how firewalls are commonly applied to the website's platform for other companies. e.g. Some managed website platforms already have a built-in web firewall or require only very light protection based on the website's infrastructure (e.g. static websites with only public content on managed web servers.)
- Assess whether the website must comply with a regulation. e.g. GDPR
After implementing a web firewall
- Send samples of known malicious traffic to the website to verify they are being filtered.