Allow blocking mode for Web Application Firewall
Problem to solve
The Web Application Firewall can passively monitor requests and can report if there is a possible security violation. This is great, but it is not preventing the attacker from unintended data access.
When the problem is reported and addressed, it could be too late.
WAF has also another mode: blocking. With this mode, malicious requests are blocked and they cannot reach the application, protecting from unauthorized access.
We should allow people to activate this mode, even if it is not the default.
Blocking mode has risks to block legitimate requests in case of false positives. Normally this is a blocker for its adoption, but this feature is still useful in security-critical environments.
Users may want to leave it disabled during a "training and tuning" of the rules, and turn it on when they are confident that false positives have a very low rate.
Allow to toggle blocking mode on the WAF. The default will stay detection only.
What does success look like, and how can we measure that?
WAF with blocking mode enabled.