Update WAF documentation with expanded security details#1132
Merged
Update WAF documentation with expanded security details#1132
Conversation
Protection against exploits — expanded to mention: - IP reputation lists (including AWS') and managed rules for known attack patterns - Blocking of sensitive files, system paths, and XML-RPC API - Proactive rule updates for newly discovered vulnerabilities (without mentioning the advance notice agreement) Protection against request floods — expanded with: - Layers 3, 4, and 7 breakdown (network, transport, application) - Three tiers of rate limits described generically: CDN-level, per-container (dynamic pages), and sensitive pages (login/admin) — no exact numbers - I also mentioned the self-service allow-lists (but couldn't find a page to point to) New "Monitoring & alerting" section — covers: - 24/7/365 global on-call team with multiple tiers - Internal metrics (CPU, memory, disk, scaling, network) and external metrics (error rates) - Urgent support ticket alerting New "Incident response" section — covers: - Tiered escalation (primary → secondary → tertiary → leadership) without exact timeframes - Five-step incident process: creation, customer notification, updates, report, root cause analysis I specifically didn't mention: - Exact rate limit numbers - Specific error rate thresholds - Exact escalation timeframes - Details about advance WordPress vulnerability notice agreements - Internal tooling names like PagerDuty Fixes: humanmade/altis-documentation#602
mikelittle
requested review from
ferschubert-hm,
filter182,
jerico,
rmccue,
vladislavhmn and
wisyhambolu
Contributor
Author
|
@rmccue A reminder you wanted final approval on this PR |
rmccue
previously requested changes
Mar 10, 2026
Co-authored-by: Ryan McCue <me@ryanmccue.info>
joehoyle
approved these changes
Mar 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated the following sections:
Protection against exploits — expanded to mention:
Protection against request floods — expanded with:
New "Monitoring & alerting" section — covers:
New "Incident response" section — covers:
I specifically didn't mention:
Exact rate limit numbers
Specific error rate thresholds
Exact escalation timeframes
Details about advance WordPress vulnerability notice agreements
Internal tooling names like PagerDuty
Fixes: Add some more information about our WAF set up to the documentation altis-documentation#602