Firewall & CDN overview

This section describes how to configure and manage Firewall & CDN features using the API. All the available controls are also present in the SiteLock Dashboard based on feature availability.

Support for onboarding apex domains and subdomains configured to behave as apex domains is a beta feature and is subject to change.

Products included

Firewall & CDN includes two primary products:

  • Firewall — A web application firewall (WAF) protects websites by filtering and blocking malicious HTTP requests.

  • CDN — A content delivery network caches specific requests to improve performance and accelerate delivery of web assets.

API capabilities

SiteLock provides API methods for:

  • Routing traffic to the origin server through Firewall & CDN.

  • Forwarding traffic directly to the origin server (bypass mode).

  • Enabling and managing SSL/TLS support.

  • Configuring access control lists (ACLs).

  • Managing CDN behavior.

  • Retrieving web traffic statistics.

The API endpoint is:

https://api.sitelock.com/v1/partner

Firewall & CDN traffic flow

Firewall & CDN filters illegitimate traffic and routes only legitimate requests back to the origin server.

Domain types and DNS requirements

Domains are classified as apex or non-apex based on RFC definitions (see RFC 7719). DNS configuration requirements vary by domain type.

Apex domain

An apex domain (also known as a root domain or naked domain) is the root of a DNS zone and contains the start of authority (SOA) record (for example, example.com or api.example.com when managed as its own zone).

When onboarding an apex domain to Firewall & CDN:

  • You will receive two A records.

  • You will also receive one CNAME record.

  • The A records must be configured on the apex domain.

  • The CNAME must be configured on the corresponding www (or equivalent) fully qualified domain name.

  • Domain validation and successful onboarding depend on the CNAME being configured.

Subdomain

A standard subdomain does not contain its own SOA record and is part of a parent DNS zone.

When onboarding a subdomain:

  • You will receive one CNAME record.

  • The CNAME must be configured on the subdomain.

  • No A records are required.

Subdomain treated as an apex domain (Beta)

A subdomain can be treated as an apex domain when it has its own SOA record and is managed as a separate DNS zone.

When onboarding a subdomain as an apex domain:

  • The subdomain must have an SOA record.

  • You will receive two A records and one CNAME record.

  • The A records are configured on the apex subdomain.

  • The CNAME is configured on the fully qualified www version of that subdomain.

  • Domain validation is dependent on the CNAME record.

Bypassing Firewall & CDN

To send traffic directly to the origin server:

SSL support

Firewall & CDN validates the SSL/TLS certificate installed on the user’s site.

If Firewall & CDN was provisioned without SSL and a SiteLock-generated certificate is added later, call enableWafSSL to trigger validation. To remove SSL support, call disableWafSSL.

Access control lists (ACLs)

The access control list (ACL) rules and exceptions allow you to fine-tune such configuration settings as blacklisted or whitelisted IP addresses and URLS, countries and bots, and many more.

  • Retrieve the ACL overview using getWafAclOverview.

  • Retrieve or update WAF policy rules using getWafSettings and setWafSettings.

Additional ACL-related methods include:

Malicious files may be quarantined automatically:

Website traffic statistics

Firewall & CDN