AIARCOASC Docs

WAF & rate-limit

Managed and custom WAF rules with ML scoring, plus per-route rate-limiting.

What it is

The WAF inspects every request against three rule sets: managed (OWASP-class, updated daily), Edge AI scoring (per-request ML risk score), and your custom rules (boolean expressions over headers, body, geo). Per-route rate-limit rules cap requests per IP, per token, or per session.

When to use it

  • Block OWASP Top-10 classes (injection, XSS, broken auth) out of the box.
  • Write a custom rule to block requests from a specific country to /admin.
  • Cap login attempts to 5 / minute / IP.

Quickstart

asc edge waf enable example.com --plan business
asc edge waf rules add example.com --expression 'http.geo.country eq "XX"' --action block
asc edge ratelimit add example.com --route '/login' --per ip --limit 5 --window 60s
client.edge.waf.rules.add(zone='example.com', expression='http.geo.country eq "XX"', action='block')
await client.edge.waf.rules.add({ zone: 'example.com', expression: 'http.geo.country eq "XX"', action: 'block' });

Limits & quotas

LimitDefaultBurstNotes
PlansPro / Business / EnterpriseSee pricing
Managed rule update cadenceDaily
Custom rules per zone200 (Business)1,000Lift on Enterprise
Rate-limit evaluations$0.05 / M

Pricing

See pricing. Pay-as-you-go, billed monthly via Stripe.

API surface

  • POST /v1/edge/waf/rules
  • POST /v1/edge/waf/ratelimit

Required scope(s): edge.waf:write. See Scopes.

Security

All access is authenticated and scoped. See Auth & scopes and Network controls.