Book IndexHideShow
Back to topic

Cloud Application Security

Web Protection – Introduction

Web Protection – Introduction

Imperva’s Web Protection is a 100% cloud based solution for protecting websites and applications from external threats including: OWASP top 10 threats, hacking attempts, malicious bots, scraping, and DDoS attacks.

At the core of Imperva’s Web Protection are our security reverse proxy and Web Application Firewall (WAF) in the cloud, which are deployed across our globally distributed CDN network. Organizations using Web Protection route their website traffic through the Imperva network by performing a simple DNS change. This enables Imperva to inspect each and every request sent to the website and filter out any kind of malicious activity.


  • PCI certified Web Application Firewall
  • Service is backed by Imperva’s security team for updating and tuning security rules
  • Easy and quick implementation - usually no rule tuning is required
  • Bot mitigation using Imperva’s advanced client classification technology
  • Backdoor Protection to identify and quarantine backdoors planted on your website
  • Custom security logic using security rules
  • Granular access controls based on IPs, URLs, location and client type
  • Seamless implementation of two-factor authentication
  • Real-time dashboard for traffic monitoring and event analysis
  • REST API and SIEM integration of access and security logs

How Does Web Protection Work?

Imperva’s Web Protection is based on a network of secure reverse proxies deployed on our globally distributed CDN. Web traffic that is routed through the Imperva network is terminated by those proxies, allowing Imperva to inspect each and every request to the website and identify and block any malicious activity.

Organizations using Web Protection update their domain DNS to point to a unique hostname (CNAME) provided by Imperva (e.g., This hostname is dynamically resolved for every website visitor, making sure each visitor is served by the closest Imperva data center.

Web Application Firewall

Imperva’s secure proxy and Web Application Firewall (WAF) inspect every request at three levels: the connection level, the request format and structure level, and the content level. The WAF matches the HTTP/S requests against a set of security engines, known attack patterns, heuristic rules, anomaly detection and known "good" patterns. Each visitor is also profiled and matched against a large set of known client signatures. These components allow Imperva to automatically filter out bad actors and enable organizations to define their access policy for bots.

Personal Data Protection

Imperva's reverse proxies include over 50 patterns used to recognize personally identifiable information (PII) such as credit card numbers, email addresses, or phone numbers.

Imperva reverse proxies analyze incoming requests and search for data that matches these patterns. When a match is found, we immediately perform irreversible masking in memory (RAM), in real-time. Logs generated in the proxy use the masked data. This mechanism ensures that personal data is never written to disk.

These patterns are fully configurable and can be enhanced per customer, per website. Our customers can expand the list of patterns as needed to cover additional information that they consider to be sensitive.

The current definition and the ability to add new patterns is configured by Support.

DDoS Mitigation

Websites using Imperva DDoS Protection are protected from any type of DDoS attack, including both network (Layer 3 and 4) and application (Layer 7) attacks. Imperva’s secure HTTP proxy terminates TCP connections, acting as a buffer between the Internet and the origin server and filtering out any kind of DDoS attack, such as SYN floods and UDP floods. Only legitimate TCP sessions are forwarded to the origin server.

Layer 7 DDoS attacks are mitigated by a dedicated engine that can distinguish between legitimate visitors and DDoS bots. This engine leverages Imperva’s client classification technology, as well as unique capabilities to challenge suspected visitors and verify their authenticity, without impacting the website's normal user experience.

Security Operations Center

Imperva Web Protection is backed up by a team of security experts who are responsible for keeping the Web Application Firewall and other security engines up to date and accurate. The research team monitors external sources such as new vulnerability disclosures and analyzes all traffic going through Imperva. Any new attack identified on the network is automatically analyzed, and new mitigation rules are propagated to all Web Protection customers. All rules go through a vetting phase in which they are deployed across the network but only generate alerts. Those alerts are analyzed by the security team and, if required, adjustments are made to make sure that new rules do not create false positives.


Websites that support SSL are required to provision an SSL certificate on Imperva. Imperva maintains two types of certificates. The first is an Imperva-generated certificate that can be automatically created and integrated using the new site wizard. Organizations using Web Protection can also upload their own certificate, which will be presented to SNI-supporting clients instead of the Imperva-generated certificate. See Web Protection - SSL/TLS for more information.

Web Protection can be deployed as an always-on solution (the most common scenario) or as an on-demand solution for DDoS mitigation.

Traffic Flow

Understand the behind-the-scenes flow of an end user visit to a website protected by Imperva’s Web Protection.

Before Adding the Domain to Imperva

  1. A visitor opens a web browser and types in your website’s URL (for example,
  2. The web browser queries its DNS server for the IP address associated with and receives your origin server IP address.
  3. The web browser sends requests to the origin server IP address, which are routed through the Internet to your ISP or hosting provider.

After Adding the Domain to Imperva

  1. A visitor opens a web browser and types in your website’s URL (for example,
  2. The web browser queries its DNS server for the IP address associated with and receives the Imperva CNAME you configured in your DNS (for example,
  3. The web browser queries its DNS server for the IP address associated with and receives the IP address of the nearest Imperva data center.
  4. The web browser sends requests for to the IP address of the nearest Imperva data center.
  5. The request is accepted by the Imperva secure proxy and inspected for any security risk.
  6. If the request does not pose any threat, it is either responded to directly from Imperva’s cache or forwarded to the origin server (if the resource is dynamic and cannot be cached).
  7. Responses from the origin server are accepted by the Imperva secure proxy and then forwarded back to the visitor’s web browser.

How To

Read More

Join the Discussion