Beyond static ACLs
A Web Application Firewall terminates or inspects HTTP(S) and can score clients by behavior (JWT abuse, credential stuffing, scanner fingerprints). IP actions may be temporary, geographic, or tied to ASNs—not only static deny lists.
Enterprise deployment
WAFs sit at the edge (CDN, load balancer plugin, or reverse proxy). Security teams integrate them with SIEM/SOAR so automated IP blocks create tickets and expire with TTLs. Origin lock-down still relies on network ACLs and mutual TLS where applicable.
False positives
Corporate NAT egress can concentrate many users behind one address; aggressive IP throttling may block legitimate bursts after releases. Use staged rules, allowlists for trusted scanners, and header-based signals beyond IP alone.
Rule phases and inspection depth
Managed rulesets (for example OWASP CRS) typically evaluate in phases: normalization, IP reputation and method enforcement, argument inspection, and outbound leakage checks. Custom rules often combine rate limits (token buckets per URI or credential), geo fences, and bot scores derived from TLS fingerprints and header order anomalies—not just raw IP.
Trusting client IP headers
Behind CDNs or L7 load balancers, the TCP peer IP is the edge, not the user. You must consistently honor X-Forwarded-For or equivalent only from trusted hops; otherwise attackers spoof headers to bypass IP blocks. Prefer platform-native client IP variables (for example AWS True-Client-IP / ALB attributes) and signed edge-to-origin channels.
API and JSON-specific controls
REST and GraphQL abuse differs from HTML scraping: volumetric limits should key on API keys or JWT claims where possible, with IP as a secondary throttle. JSON payload depth and parameter explosion rules complement traditional SQLi/XSS signatures.
Pair with firewall rule basics and external scanning discipline.
Check the address clients present to your edge when reproducing WAF events.