View examples of some common use cases, with screenshots illustrating how to implement the scenarios using Imperva security rules.

Note: For full details on creating custom rules and the available filters, see:

Application hardening

Restrict HTTP methods

Block specific HTTP methods. You can also apply the rule to specific IPs or URLs.

Method != PUT;HEAD;OPTIONS;TRACE;POST

Prevent a known CSRF in your site

Prevent unauthorized connections that are not coming from the site itself, such as email links. This rule would in effect prevent Cross-Site Request Forgery attempts.

URL contains “/transfer_money” and Referer not-contains “^https://www.mybankingsite.com”

Malformed ID

Block illegal connections to malformed IDs. The rule below gives an example of a URL where the query starts with % or a space (url decoder). This type of rule can introduce another layer of security for GET methods, but are specific to each website.

URL contains "CategoryDisplay" & Full-URL contains "categoryId=%"

Rate limiting

Request rate limiting

Limit requests per session, per minute.

In this example, the rule is triggered when the rate of requests per session is 500 or more per minute for a single client session (between client and Imperva), and the client is not Googlebot (SearchBot). You can also replace the Client ID with Client Type (SearchBot).

Rate >= {request-rate-session;500} & ClientId != 6

Dynamic rate limiting

In this example, the rule is triggered when the rate of requests per IP is 20 or more per minute, and the client is not Googlebot (SearchBot).

It can be used to generate an alert for tracking purposes. Alternatively, you can add a header to the specified clients using a Delivery Rules rewrite header. 

Rate >= {dynamic-content-rate-ip;20} & ClientId != 6

Alert on high rate of malicious requests

By default, Imperva blocks specific requests, and not the entire user session or IP. The AttacksCount parameter enables you to add another level of security by deciding to block or create an alert for a single session generating more than <x> malicious requests.

AttacksCount >= 250

Advanced Access Control (ACL)

Alert on requests from a specific location

Using the security settings options in the Cloud Security Console (Websites > Settings > Security) you can block requests from a specific country. This example shows a rule that is configured to alert, and provides a higher level of granularity by filtering for specific client types. 

 CountryCode == GB & ClientType != Browser;SearchBot

Alert on admin panel request from outside of your office's IP

Set an alert action if someone from outside your office requests your admin panel.

 URL contains "/admin" & ClientIP != 10.10.10.10

Advanced security rules

Block malicious IP addresses

Block IP addresses that are associated with known malicious activity using out-of-the-box filters.

MaliciousIPList == TorIPs | MaliciousIPList == AnonymousProxyIPs

Block requests that are bypassing your referrer URL

You may have an endpoint that should be accessed only via a referring page. Bypassing that referring page may indicate malicious activity that you want to block.

URL == "/checkout"  & Referer not-contains "/cart"

Read More