The Fastly Next-Gen WAF API provides programmatic access to configure and manage web application firewall rules that protect applications delivered through Fastly's edge network. It enables developers to manage WAF firewall configurations, rule sets, and exclusions to defend against common web attacks including SQL injection, cross-site scripting, and other OWASP Top 10 vulnerabilities.
openapi: 3.1.0
info:
title: Fastly Next-Gen WAF API
description: >-
The Fastly Next-Gen WAF API provides programmatic access to configure and
manage web application firewall rules that protect applications delivered
through Fastly's edge network. It enables developers to manage WAF
firewall configurations, rule sets, and exclusions to defend against
common web attacks including SQL injection, cross-site scripting, and
other OWASP Top 10 vulnerabilities. The API supports managing active
rules, reviewing firewall events, and configuring response behaviors for
detected threats.
version: '1.0'
contact:
name: Fastly Support
url: https://support.fastly.com
termsOfService: https://www.fastly.com/terms
externalDocs:
description: Fastly Next-Gen WAF API Documentation
url: https://www.fastly.com/documentation/reference/api/waf/
servers:
- url: https://api.fastly.com
description: Fastly API Production Server
tags:
- name: WAF Active Rules
description: >-
Operations for managing which WAF rules are actively enforced on a
firewall.
- name: WAF Exclusions
description: >-
Operations for managing WAF exclusions that prevent specific requests
from being flagged by the firewall.
- name: WAF Firewalls
description: >-
Operations for managing WAF firewall instances associated with Fastly
services.
- name: WAF Rules
description: >-
Operations for managing WAF rules that define detection and response
behaviors for web attacks.
security:
- apiKeyAuth: []
paths:
/waf/firewalls:
get:
operationId: listWafFirewalls
summary: List WAF firewalls
description: >-
Retrieves a list of all WAF firewall instances associated with the
account.
tags:
- WAF Firewalls
parameters:
- name: page[number]
in: query
description: >-
The page number to retrieve.
schema:
type: integer
- name: page[size]
in: query
description: >-
The number of items per page.
schema:
type: integer
- name: filter[service_id]
in: query
description: >-
Filter firewalls by service ID.
schema:
type: string
- name: include
in: query
description: >-
Related resources to include in the response.
schema:
type: string
responses:
'200':
description: Successfully retrieved the list of WAF firewalls.
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/WafFirewall'
'401':
description: Unauthorized. The API token is missing or invalid.
post:
operationId: createWafFirewall
summary: Create a WAF firewall
description: >-
Creates a new WAF firewall instance associated with a Fastly service.
tags:
- WAF Firewalls
requestBody:
required: true
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
type: object
properties:
type:
type: string
enum:
- waf_firewall
attributes:
type: object
properties:
service_id:
type: string
description: >-
The ID of the service to attach the firewall to.
service_version_number:
type: integer
description: >-
The version number of the service.
prefetch_condition:
type: string
description: >-
The condition that controls when the firewall is
applied.
response:
type: string
description: >-
The name of the response object for blocked
requests.
responses:
'201':
description: Successfully created the WAF firewall.
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
$ref: '#/components/schemas/WafFirewall'
'400':
description: Bad request. Missing or invalid parameters.
'401':
description: Unauthorized. The API token is missing or invalid.
/waf/firewalls/{firewall_id}:
get:
operationId: getWafFirewall
summary: Get a WAF firewall
description: >-
Retrieves the details of a specific WAF firewall instance.
tags:
- WAF Firewalls
parameters:
- $ref: '#/components/parameters/firewallId'
responses:
'200':
description: Successfully retrieved the WAF firewall.
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
$ref: '#/components/schemas/WafFirewall'
'401':
description: Unauthorized. The API token is missing or invalid.
'404':
description: WAF firewall not found.
patch:
operationId: updateWafFirewall
summary: Update a WAF firewall
description: >-
Updates the configuration of a specific WAF firewall instance.
tags:
- WAF Firewalls
parameters:
- $ref: '#/components/parameters/firewallId'
requestBody:
required: true
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
type: object
properties:
type:
type: string
enum:
- waf_firewall
attributes:
type: object
properties:
service_version_number:
type: integer
description: >-
The version number of the service.
prefetch_condition:
type: string
description: >-
The condition that controls when the firewall is
applied.
response:
type: string
description: >-
The name of the response object for blocked
requests.
responses:
'200':
description: Successfully updated the WAF firewall.
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
$ref: '#/components/schemas/WafFirewall'
'401':
description: Unauthorized. The API token is missing or invalid.
'404':
description: WAF firewall not found.
delete:
operationId: deleteWafFirewall
summary: Delete a WAF firewall
description: >-
Deletes a specific WAF firewall instance.
tags:
- WAF Firewalls
parameters:
- $ref: '#/components/parameters/firewallId'
requestBody:
required: true
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
type: object
properties:
type:
type: string
enum:
- waf_firewall
attributes:
type: object
properties:
service_version_number:
type: integer
description: >-
The version number of the service.
responses:
'204':
description: Successfully deleted the WAF firewall.
'401':
description: Unauthorized. The API token is missing or invalid.
'404':
description: WAF firewall not found.
/waf/rules:
get:
operationId: listWafRules
summary: List WAF rules
description: >-
Retrieves a list of all available WAF rules.
tags:
- WAF Rules
parameters:
- name: page[number]
in: query
description: >-
The page number to retrieve.
schema:
type: integer
- name: page[size]
in: query
description: >-
The number of items per page.
schema:
type: integer
- name: filter[waf_tags][name]
in: query
description: >-
Filter rules by tag name.
schema:
type: string
responses:
'200':
description: Successfully retrieved the list of WAF rules.
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/WafRule'
'401':
description: Unauthorized. The API token is missing or invalid.
/waf/rules/{waf_rule_id}:
get:
operationId: getWafRule
summary: Get a WAF rule
description: >-
Retrieves the details of a specific WAF rule.
tags:
- WAF Rules
parameters:
- name: waf_rule_id
in: path
required: true
description: >-
The alphanumeric string identifying the WAF rule.
schema:
type: string
responses:
'200':
description: Successfully retrieved the WAF rule.
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
$ref: '#/components/schemas/WafRule'
'401':
description: Unauthorized. The API token is missing or invalid.
'404':
description: WAF rule not found.
/waf/firewalls/{firewall_id}/versions/{firewall_version_number}/active-rules:
get:
operationId: listWafActiveRules
summary: List active WAF rules
description: >-
Retrieves a list of all active WAF rules for a specific firewall
version.
tags:
- WAF Active Rules
parameters:
- $ref: '#/components/parameters/firewallId'
- $ref: '#/components/parameters/firewallVersionNumber'
- name: page[number]
in: query
description: >-
The page number to retrieve.
schema:
type: integer
- name: page[size]
in: query
description: >-
The number of items per page.
schema:
type: integer
responses:
'200':
description: Successfully retrieved the list of active WAF rules.
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/WafActiveRule'
'401':
description: Unauthorized. The API token is missing or invalid.
post:
operationId: createWafActiveRule
summary: Add an active WAF rule
description: >-
Adds a WAF rule to the active rule set for a specific firewall version.
tags:
- WAF Active Rules
parameters:
- $ref: '#/components/parameters/firewallId'
- $ref: '#/components/parameters/firewallVersionNumber'
requestBody:
required: true
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
type: object
properties:
type:
type: string
enum:
- waf_active_rule
attributes:
type: object
properties:
status:
type: string
description: >-
The status of the active rule.
enum:
- log
- block
modsec_rule_id:
type: integer
description: >-
The ModSecurity rule ID.
revision:
type: integer
description: >-
The revision number of the rule.
relationships:
type: object
properties:
waf_rule_revision:
type: object
description: >-
The WAF rule revision to activate.
responses:
'201':
description: Successfully added the active WAF rule.
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
$ref: '#/components/schemas/WafActiveRule'
'400':
description: Bad request. Missing or invalid parameters.
'401':
description: Unauthorized. The API token is missing or invalid.
/waf/firewalls/{firewall_id}/versions/{firewall_version_number}/exclusions:
get:
operationId: listWafExclusions
summary: List WAF exclusions
description: >-
Retrieves a list of all WAF exclusions for a specific firewall version.
Exclusions prevent requests matching a particular pattern from being
flagged by the firewall.
tags:
- WAF Exclusions
parameters:
- $ref: '#/components/parameters/firewallId'
- $ref: '#/components/parameters/firewallVersionNumber'
- name: page[number]
in: query
description: >-
The page number to retrieve.
schema:
type: integer
- name: page[size]
in: query
description: >-
The number of items per page.
schema:
type: integer
responses:
'200':
description: Successfully retrieved the list of WAF exclusions.
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/WafExclusion'
'401':
description: Unauthorized. The API token is missing or invalid.
post:
operationId: createWafExclusion
summary: Create a WAF exclusion
description: >-
Creates a new WAF exclusion for a specific firewall version.
tags:
- WAF Exclusions
parameters:
- $ref: '#/components/parameters/firewallId'
- $ref: '#/components/parameters/firewallVersionNumber'
requestBody:
required: true
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
type: object
properties:
type:
type: string
enum:
- waf_exclusion
attributes:
type: object
properties:
name:
type: string
description: >-
The name of the exclusion.
exclusion_type:
type: string
description: >-
The type of exclusion.
enum:
- rule
- variable
- waf
condition:
type: string
description: >-
The VCL condition expression for the exclusion.
responses:
'201':
description: Successfully created the WAF exclusion.
content:
application/vnd.api+json:
schema:
type: object
properties:
data:
$ref: '#/components/schemas/WafExclusion'
'400':
description: Bad request. Missing or invalid parameters.
'401':
description: Unauthorized. The API token is missing or invalid.
components:
securitySchemes:
apiKeyAuth:
type: apiKey
in: header
name: Fastly-Key
description: >-
API token used to authenticate requests to the Fastly API.
parameters:
firewallId:
name: firewall_id
in: path
required: true
description: >-
The alphanumeric string identifying the WAF firewall.
schema:
type: string
firewallVersionNumber:
name: firewall_version_number
in: path
required: true
description: >-
The version number of the WAF firewall.
schema:
type: integer
schemas:
WafFirewall:
type: object
description: >-
A WAF firewall instance associated with a Fastly service.
properties:
id:
type: string
description: >-
The alphanumeric string identifying the WAF firewall.
type:
type: string
description: >-
The resource type.
enum:
- waf_firewall
attributes:
type: object
properties:
service_id:
type: string
description: >-
The ID of the associated service.
service_version_number:
type: integer
description: >-
The service version number.
active_rules_fastly_block_count:
type: integer
description: >-
The number of active rules in block mode managed by Fastly.
active_rules_fastly_log_count:
type: integer
description: >-
The number of active rules in log mode managed by Fastly.
active_rules_owasp_block_count:
type: integer
description: >-
The number of active OWASP rules in block mode.
active_rules_owasp_log_count:
type: integer
description: >-
The number of active OWASP rules in log mode.
created_at:
type: string
format: date-time
description: >-
The date and time the firewall was created.
updated_at:
type: string
format: date-time
description: >-
The date and time the firewall was last updated.
WafRule:
type: object
description: >-
A WAF rule that defines detection logic for a specific type of
web attack.
properties:
id:
type: string
description: >-
The alphanumeric string identifying the WAF rule.
type:
type: string
description: >-
The resource type.
enum:
- waf_rule
attributes:
type: object
properties:
modsec_rule_id:
type: integer
description: >-
The ModSecurity rule ID.
type:
type: string
description: >-
The type of the rule.
severity:
type: integer
description: >-
The severity level of the rule.
source:
type: string
description: >-
The source of the rule.
WafActiveRule:
type: object
description: >-
An active WAF rule that is currently enforced on a firewall.
properties:
id:
type: string
description: >-
The alphanumeric string identifying the active rule.
type:
type: string
description: >-
The resource type.
enum:
- waf_active_rule
attributes:
type: object
properties:
status:
type: string
description: >-
The enforcement status of the rule.
enum:
- log
- block
modsec_rule_id:
type: integer
description: >-
The ModSecurity rule ID.
revision:
type: integer
description: >-
The revision number of the rule.
created_at:
type: string
format: date-time
description: >-
The date and time the active rule was created.
updated_at:
type: string
format: date-time
description: >-
The date and time the active rule was last updated.
WafExclusion:
type: object
description: >-
A WAF exclusion that prevents specific requests from being flagged
by the firewall.
properties:
id:
type: string
description: >-
The alphanumeric string identifying the exclusion.
type:
type: string
description: >-
The resource type.
enum:
- waf_exclusion
attributes:
type: object
properties:
name:
type: string
description: >-
The name of the exclusion.
exclusion_type:
type: string
description: >-
The type of exclusion.
enum:
- rule
- variable
- waf
condition:
type: string
description: >-
The VCL condition expression for the exclusion.
number:
type: integer
description: >-
The exclusion number.
created_at:
type: string
format: date-time
description: >-
The date and time the exclusion was created.
updated_at:
type: string
format: date-time
description: >-
The date and time the exclusion was last updated.