You are viewing the legacy StackPath SecureCDN Help Center. Please use if you signed up after July 1, 2018 or log in through

StackPath Support

WAF Action Priorities

This article provides an overview of possible actions the StackPath WAF can take on incoming traffic. There are five different actions that both pre-defined and custom WAF rules can take.

Rules are displayed and processed in the priority listed below from top to bottom:  

  1. Monitor
  2. Allow
  3. Block
  4. Captcha
  5. Extended Browser Validation

It is very important that when creating or troubleshooting WAF Rules, pre-defined or custom, the priority is taken into consideration. It is possible a newly created rule is either being superseded by another rule that is causing the newly created rule to not work as intended. 

An example of WAF Rule Prioritization: 

In this example, we will look at how an "Allow" takes priority over a "Block" rule.

  1. Open the custom rules section (WAF Rules)
  2. Create Rule #1:
    Allow IP:
  3. Setup Rule #2:
    Create specific Country where you are currently located
  4. Test: 
    Access the site 

The result of this example will be that access will be "Allowed" because the "Allow" rule takes priority over the "Block" rule. 


Monitor rules are perfect for testing out potential Extended Browser Validation, Captcha, and Block rules. With a monitor rule, you can check what specific traffic will be affected before setting up a rule in production that might negatively impact customers. 

Example Monitor Rule

  1. Create Rule: If URL ==, Then all traffic to will be monitored. 



Allow actions allow all traffic for bots and users to the URL specified. 

Example Allow Rule:

The example rule we will be showing will allow only a specific IP address to access the WordPress Administration Page of a site. 

  1. Create Rule: If URL == /wp-admin, and IP={your ip address} 


This action simply blocks all traffic and displays a message to end users. 

Example URL Block Rule 1

  1. Create Rule: If URL ==, Then Block

That will mean that any traffic that will go to will be blocked (bots and users)

Example Location Block Rule 2

This rule will block all traffic, both bots, and users, from Argentina 

  1. Create Rule: If Country == Argentina, Then Block

Each rule will produce the same style of block messaging as shown in the screenshot below. 

Example block messaging style


Captcha rules require an image based challenge question be passed to allow a user to access the URL in the rule. Captcha images are random and generated by our secure server. 

Example of Captcha

  1. Create Rule: If URL ==, Then require captcha

Example captcha messaging style

Extended Browser Validation

Extended Browser Validation ensures request to your site and assets are legitimate and not coming from a bot or site scraper. Before a user can access the site or an automated process runs that checks to ensure a user is a real person and not malicious bot or DDoS attack. This process typically takes a second to complete but might take longer depending on the user's connection and PC speed.

Example of Extended Browser Validation

This test will require any traffic that is sent to will be required to pass an extended browser validation (bots and users).

  • Create Rule: If URL ==, Then require Extended Browser Validation 

During the time the Extended Browser Validation is running, users will see a temporary "loading" image.

StackPath extended browser validation

Return to top