WAF & rate-limit
Managed and custom WAF rules with ML scoring, plus per-route rate-limiting.
What it is
The WAF inspects every request against three rule sets: managed (OWASP-class, updated daily), Edge AI scoring (per-request ML risk score), and your custom rules (boolean expressions over headers, body, geo). Per-route rate-limit rules cap requests per IP, per token, or per session.
When to use it
- Block OWASP Top-10 classes (injection, XSS, broken auth) out of the box.
- Write a custom rule to block requests from a specific country to /admin.
- Cap login attempts to 5 / minute / IP.
Quickstart
asc edge waf enable example.com --plan business
asc edge waf rules add example.com --expression 'http.geo.country eq "XX"' --action block
asc edge ratelimit add example.com --route '/login' --per ip --limit 5 --window 60sclient.edge.waf.rules.add(zone='example.com', expression='http.geo.country eq "XX"', action='block')await client.edge.waf.rules.add({ zone: 'example.com', expression: 'http.geo.country eq "XX"', action: 'block' });Limits & quotas
| Limit | Default | Burst | Notes |
|---|---|---|---|
| Plans | Pro / Business / Enterprise | — | See pricing |
| Managed rule update cadence | Daily | — | |
| Custom rules per zone | 200 (Business) | 1,000 | Lift on Enterprise |
| Rate-limit evaluations | $0.05 / M | — |
Pricing
See pricing. Pay-as-you-go, billed monthly via Stripe.
API surface
POST /v1/edge/waf/rulesPOST /v1/edge/waf/ratelimit
Required scope(s): edge.waf:write. See Scopes.
Security
All access is authenticated and scoped. See Auth & scopes and Network controls.