I have two webistes

  1. www.mysite.com. -->hosted on s3 , served via Cloudfront static single page App.

  2. Then I have api.mysite.com , which the front end uses.

My company is using WAF solution from thirdparty and current monolith applications are protected by it.

For the new site , i have put api.mysite.com behind WAF but i am not sure if i need to put static site behind WAF as well or not?

This is mostly regarding preventing site against DDOS attacks or bots etc, we had many attacks before, so I want to make sure i do the thing right way.


While WAF is primarily used to protect active websites, forms, APIs, etc there is sometimes need to use WAF in front of public static content as well.

For example: How to Prevent Hotlinking by Using AWS WAF, Amazon CloudFront, and Referer Checking

Another usecase may be if some of your static content is not entirely public (e.g. relying on complex random filenames - not that this offers a great security) and you want to limit brute-forcing access attempts - that's where WAF may help too.

So the answer to your question is: Yes, sometimes WAF maybe used for static content. However these are quite a specific use cases and whether or not it's relevant to your site I can't tell.

On the other hand even if you start without WAF and later on you find out that something unexpected happens to your static content that may be solved with WAF you can turn it on then. It's not necessarily a decision you need to make at the very beginning.

Hope that helps :)