scaleway · RoRoJ · Apr 17, 2025
@@ -72,4 +72,4 @@ The protocol (HTTP or HTTPS) that the Edge Services pipeline should use when sen
 Edge Services WAF is currently in [Public Beta](https://www.scaleway.com/en/betas/) and available only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming to the Scaleway console soon.
 </Message>
 
-An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your Load Balancer origin to determine whether they are potentially malicious. You can set the paranoia level to be used when evaluating requests. Requests that are judged to be malicious are then blocked or logged, depending on the settings you choose. Find out more in our dedicated [reference documentation](/edge-services/reference-content/understanding-waf/).
+An Edge Services **W**eb **A**pplication **F**irewall (WAF) evaluates requests to your origin to determine whether they are potentially malicious. You can set the paranoia level to be used when evaluating requests. Requests that are judged to be malicious are then blocked or logged, depending on the settings you choose. Find out more in our dedicated [reference documentation](/edge-services/reference-content/understanding-waf/).
@@ -34,6 +34,6 @@ Yes, if you choose to [customize your Edge Services endpoint with your own subdo
 
 ## What is WAF?
 
-**W**eb **A**pplication **F**irewall is a feature available in Public Beta via Edge Services for Load Balancer origins. It is currently available via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/) only, but will be coming to the Scaleway console soon.
+**W**eb **A**pplication **F**irewall is currently available in Public Beta via Edge via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/) only. It will be coming to the Scaleway console soon.
 
-When enabled, WAF filters requests to your Load Balancer origin to determine whether they are potentially malicious. You can choose the [paranoia level](/edge-services/concepts/#paranoia-level) to be used when evaluating requests, and set [exclusions](/edge-services/concepts/#exclusions) to define traffic that shouldn't be filtered by WAF. Requests that are judged to be malicious are blocked or logged, depending on the settings you choose. Find out more about WAF in our [detailed documentation](/edge-services/reference-content/understanding-waf/).
+When enabled, WAF filters requests to your Load Balancer origin or Object Storage bucket to determine whether they are potentially malicious. You can choose the [paranoia level](/edge-services/concepts/#paranoia-level) to be used when evaluating requests, and set [exclusions](/edge-services/concepts/#exclusions) to define traffic that shouldn't be filtered by WAF. Requests that are judged to be malicious are blocked or logged, depending on the settings you choose. Find out more about WAF in our [detailed documentation](/edge-services/reference-content/understanding-waf/).
@@ -8,7 +8,7 @@ meta:
   sentiment="info"
   title="Edge Services WAF is now available via the Edge Services API!"
 >
-  Web Application Firewall (WAF) for Edge Services is now in Public Beta and available via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). Enable WAF to protect your Load Balancer origin from threats and malicious requests. Find out more in our [dedicated documentation](/edge-services/reference-content/understanding-waf/).
+  Web Application Firewall (WAF) for Edge Services is now in Public Beta and available via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). Enable WAF to protect your origin from threats and malicious requests. Find out more in our [dedicated documentation](/edge-services/reference-content/understanding-waf/).
 </Alert>
 
 <ProductHeader 

@@ -49,8 +49,6 @@ You can check the number of pipelines you have at any one time in the **Pipeline
 WAF is in Public Beta, and currently available free of charge and only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming soon to the Scaleway console.
 </Message>
 
-WAF is only compatible with Load Balancer origin pipelines, not with Object Storage bucket pipelines.
-
 Although it is currently available free of charge, read on to find out more about how it will be charged once in General Availability
 
 Each plan (except Starter plan) will include a fixed amount of WAF requests to use across all your pipelines. If you exceed the amount of WAF requests in a month that is allowed on your plan (or by the Starter add-on), you will be charged a fee per million additional requests.

@@ -7,7 +7,7 @@ content:
   paragraph: Learn how to protect your web applications with Edge Services Web Application Firewall (WAF). Discover the principles, paranoia levels, and limitations of WAF, and find out how to define exclusions for optimal security and performance.
 tags: edge-services web-application-firewall waf paranoia-levels exclusions
 dates:
-  validation: 2025-03-03
+  validation: 2025-04-17
   creation: 2025-03-03
 categories: 
   - network
@@ -17,17 +17,17 @@ categories:
 WAF is in Public Beta, and currently available only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/). It will be coming soon to the Scaleway console.
 </Message>
 
-If your Edge Services pipeline points towards a Load Balancer origin, you can choose to enable the **W**eb **A**pplication **F**irewall (WAF) feature, for added protection. This documentation page gives a detailed overview of WAF, and the different settings, modes and functionalities available.
+You can choose to enable the **W**eb **A**pplication **F**irewall (WAF) feature on your Edge Services pipeline for added protection. This documentation page gives a detailed overview of WAF, and the different settings, modes and functionalities available.
 
 ## WAF overview
 
-When enabled, WAF protects your Load Balancer backend from potential threats.
+When enabled, WAF protects your origin from potential threats.
 
-It does so by evaluating each request to your Load Balancer origin, to determine whether it is potentially malicious. Four different rulesets can be used to evaluate requests, each more aggressive than the last. The ruleset to use is determined by the **paranoia level** set by the user.
+It does so by evaluating each request to the origin, to determine whether it is potentially malicious. Four different rulesets can be used to evaluate requests, each more aggressive than the last. The ruleset to use is determined by the **paranoia level** set by the user.
 
 For requests judged to be malicious, WAF can either block them from passing to your origin (as shown in the diagram below), or simply log them but allow them to pass, depending on the settings you choose.
 
-You can set **exclusions**, so that certain requests are not evaluated by WAF and are allowed to pass directly to your Load Balancer origin. Exclusion filters are based on the request path and/or HTTP request type.
+You can set **exclusions**, so that certain requests are not evaluated by WAF and are allowed to pass directly to your origin. Exclusion filters are based on the request path and/or HTTP request type.
 
 <Lightbox src="scaleway-edge-services-waf-diag.webp" alt="A diagram shows how Edge Services WAF deals with three different types of HTTP request. A request meeting the criteria for WAF exclusion is passed directly to the Load Balancer origin. A benign request is first checked by the WAF rules, then allowed to pass to the Load Balancer origin. A malicious request is checked by the rules, and blocked from passing to the Load Balancer origin." />
 
@@ -92,7 +92,6 @@ Each exclusion can consist of:
 ## WAF limitations
 
 - WAF is in Public Beta, and currently available only via the [Edge Services API](https://www.scaleway.com/en/developers/api/edge-services/).
-- WAF is only compatible with Load Balancer origins. It cannot be enabled for Object Storage bucket origins.
 - WAF protects your origin only, and not your cache.
 - You can add a maximum of 100 WAF exclusions
 - You cannot currently specify exclusions at the individual rule level. Requests matching exclusion filters bypass WAF entirely.