WAF Pro Documentation
nopStation's WAF (Web Application Firewall) plugin is developed to provide comprehensive security protection for nopCommerce-based online stores. The plugin protects against common web attacks including SQL Injection, Cross-Site Scripting (XSS), Path Traversal, Command Injection, and DDoS attacks through intelligent rate limiting. With advanced security rules, IP management, and real-time threat detection, store owners can easily secure their storefront and protect customer data.
PRE-REQUISITES
· The plugin requires you to install the Nop-Station Core plugin first.
INSTALLATION
· Download the WAF Plugin from our store: https://www.nop-station.com/waf-pro-web-application-firewall-for-nopcommerce
· Go to Administration > Configuration > Local plugins
· Upload the zip file using the "Upload plugin or theme" button
· Go to Administration, reload the 'list of plugins'. Install 'Nop-Station Core' Plugin first and then Install 'WAF' plugin
· To make the plugins functional, restart the application
· Activate the plugin with the 'Edit' option And Configure it
GETTING STARTED
Step 1: Initial Configuration
· Navigate to Admin > WAF > Configuration
· Enable WAF by toggling the "Enable WAF" switch
· Select "Learning mode" as the initial operating mode
· Enable "Log All Requests" temporarily to understand traffic patterns
· Keep "Redact Sensitive Data" enabled (recommended)
· Click Save
Important: Application restart is required when enabling/disabling WAF
Step 2: Monitor in Learning Mode
· Navigate to Admin> WAF > Dashboard
· Let the system run for 24-48 hours
· Review security events to understand your traffic patterns
· Identify any false positives (legitimate requests being flagged)
Step 3: Review and Adjust Rules
· Navigate to Admin > WAF > Rules
· Review triggered rules in the security events
· Disable rules causing false positives
· Adjust rule priorities as needed
Step 4: Transition to Active Mode
· After monitoring and adjustments, go to Configuration
· Change Operating Mode to "Passive mode" first
· Monitor for another 24 hours
· If satisfied, change to "Active mode" for full protection
· Disable "Log All Requests" to reduce log volume
CONFIGURATION
General Settings
· Enable WAF: Master switch for WAF functionality (requires application restart)
· Operating Mode: Select protection level
o Learning Mode: Observes and logs traffic without blocking (recommended for initial setup)
o Passive Mode: Logs threats and applies explicit blocks only
o Active Mode: Full enforcement with automatic blocking
· Log All Requests: Enable to log every request (use in Learning mode only)
· Redact Sensitive Data: Automatically redact passwords, credit cards, tokens from logs (always enable in production)
· Security Event Retention Days: How long to keep security event logs (default: 90 days)
· Max Payload Length: Maximum characters to store in request logs (default: 5000)
· Sensitive Params: Comma-separated list of parameter names to redact (e.g., password,token,secret)
· API Path Prefixes: Comma-separated list of API endpoint paths (e.g., /api,/odata)
Alert Notifications
· Enable Email Notifications: Send email alerts for security incidents
· Notification Recipients: Comma-separated email addresses for alerts
· Critical Event Threshold: Number of critical events to trigger alert (default: 5)
· High Severity Event Threshold: Number of high-severity events to trigger alert (default: 10)
· Attack Rate Threshold: Attacks per minute to trigger alert (default: 20)
· Threshold Time Window: Time window for threshold evaluation in minutes (default: 5)
· Alert Cooldown: Minimum time between alerts to prevent flooding (default: 30 minutes)
· Send Immediate Critical Alerts: Send instant alerts for critical threats
Report Schedule
· Enable Scheduled Reports: Automatically send periodic security summaries
· Report Schedule: Daily or Weekly
· Report Recipients: Comma-separated email addresses for reports
· Daily Report Hour: Hour of day to send daily reports (0-23)
· Weekly Report Day: Day of week for weekly reports (0=Sunday, 1=Monday, etc.)
DASHBOARD
The dashboard provides real-time security overview with:
· Current Threat Level: Overall threat assessment (Low, Medium, High, Critical)
· 24-Hour Statistics:
o Total Events - All security events
o Blocked Attacks - Successfully blocked threats
o Critical Threats - High-severity incidents
o Block Rate - Percentage of blocked requests
· 24-Hour Attack Timeline: Chart showing blocked and logged events over time
· Top Attack Types: Most common attack categories with counts and percentages
· System Health: Current status, operating mode, active rules, and IP lists
· Recent Security Events: Latest 10 security incidents with severity, IP, and actions
WAF RULES
Create and manage security rules to detect and block malicious requests:
· Name: Descriptive rule name (e.g., "Block SQL UNION Attacks")
· Category: Attack type (SQL Injection, XSS, Path Traversal, Command Injection, Bot Detection, Custom)
· Pattern: Pattern to match against requests (supports regex)
· Match Type: How to match (Contains, Regex, Equals, Starts With, Ends With)
· Target Field: Where to check (URL, Header, Body, Cookie, All)
· Action: What to do when matched (Log, Block, Log and Block)
· Severity Level: Threat level 1-10 (affects dashboard metrics)
IP Whitelist & Blacklist Management
WAF Pro allows you to explicitly allow or block traffic based on IP addresses. Use cases:
· Allow trusted office or admin IPs
· Block known malicious or suspicious IPs
· Instantly stop repeated attacks from a single source
User-Agent Filtering
Not all traffic comes from real users. WAF Pro helps you detect and control bots using User-Agent filtering.
What you can do:
· Block known malicious bots (scrapers, scanners, automation tools)
· Allow trusted User-Agents (payment gateways, integrations)
· Monitor unusual or unknown User-Agents
