Update WAF documentation with expanded security details#1132
Open
mikelittle wants to merge 1 commit intomasterfrom
Open
Update WAF documentation with expanded security details#1132mikelittle wants to merge 1 commit intomasterfrom
mikelittle wants to merge 1 commit intomasterfrom
Conversation
Protection against exploits — expanded to mention: - IP reputation lists (including AWS') and managed rules for known attack patterns - Blocking of sensitive files, system paths, and XML-RPC API - Proactive rule updates for newly discovered vulnerabilities (without mentioning the advance notice agreement) Protection against request floods — expanded with: - Layers 3, 4, and 7 breakdown (network, transport, application) - Three tiers of rate limits described generically: CDN-level, per-container (dynamic pages), and sensitive pages (login/admin) — no exact numbers - I also mentioned the self-service allow-lists (but couldn't find a page to point to) New "Monitoring & alerting" section — covers: - 24/7/365 global on-call team with multiple tiers - Internal metrics (CPU, memory, disk, scaling, network) and external metrics (error rates) - Urgent support ticket alerting New "Incident response" section — covers: - Tiered escalation (primary → secondary → tertiary → leadership) without exact timeframes - Five-step incident process: creation, customer notification, updates, report, root cause analysis I specifically didn't mention: - Exact rate limit numbers - Specific error rate thresholds - Exact escalation timeframes - Details about advance WordPress vulnerability notice agreements - Internal tooling names like PagerDuty Fixes: humanmade/altis-documentation#602
mikelittle
requested review from
ferschubert-hm,
filter182,
jerico,
rmccue,
vladislavhmn and
wisyhambolu
Contributor
Author
|
@rmccue A reminder you wanted final approval on this PR |
rmccue
requested changes
Mar 10, 2026
| currently-applied rate limits. | ||
| - **CDN-level rate limits** apply across the entire environment, tuned by our engineers based on your traffic patterns. Contact Altis | ||
| support if you need these adjusted. | ||
| - **Per-container rate limits** restrict the rate of requests to dynamic pages (PHP) on each application server. |
Member
There was a problem hiding this comment.
Suggested change
| - **Per-container rate limits** restrict the rate of requests to dynamic pages (PHP) on each application server. | |
| - **Per-container rate limits** restrict the rate of requests to dynamic pages (PHP) on each application container. |
Comment on lines
+17
to
+18
| managed rules for known attack patterns. We also block access to certain sensitive files and system paths, and at an application level | ||
| (as set in your configuration) access to the XML-RPC API. |
Member
There was a problem hiding this comment.
Suggested change
| managed rules for known attack patterns. We also block access to certain sensitive files and system paths, and at an application level | |
| (as set in your configuration) access to the XML-RPC API. | |
| managed rules for known attack patterns. We also block access to certain sensitive files and system paths, and at an application level | |
| [access to the XML-RPC API (as set in your configuration)](docs://cms/xmlrpc/). |
Comment on lines
+69
to
+73
| We use a wide range of alerts covering both internal and external metrics: | ||
|
|
||
| - **Internal metrics**: CPU usage, memory usage, disk space, scaling behaviour, and network throughput. | ||
| - **External metrics**: Error rates experienced by customers, including server error thresholds that trigger alerts when a | ||
| significant proportion of requests are failing. |
Member
There was a problem hiding this comment.
I think this is a little too detailed, I'd cut it back to a broader description
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated the following sections:
Protection against exploits — expanded to mention:
Protection against request floods — expanded with:
New "Monitoring & alerting" section — covers:
New "Incident response" section — covers:
I specifically didn't mention:
Exact rate limit numbers
Specific error rate thresholds
Exact escalation timeframes
Details about advance WordPress vulnerability notice agreements
Internal tooling names like PagerDuty
Fixes: Add some more information about our WAF set up to the documentation altis-documentation#602