We are currently reviewing options to ensure that our origin server cannot be accessed directly and that all traffic is routed exclusively through Imperva Cloud WAF.
The original objective was to implement an origin lock by restricting access to the origin server so that it only accepts traffic from whitelisted Imperva IP ranges.
However, due to current infrastructure limitations, implementing IP-based origin restrictions is not feasible in client environment at the moment.
As a workaround, we are considering implementing an Origin Secret by configuring Imperva to add or rewrite a custom request header and validating this header at the origin server. While this would allow the origin to verify that requests are coming through Imperva at the application layer, it would not prevent direct network-level access to the origin server if the IP address were discovered.
Given this constraint, we would appreciate guidance from the community on the following points:
• Whether using an Origin Secret alone is considered an acceptable control when origin IP restrictions cannot be implemented
• Any recommended best practices from Imperva for protecting the origin in such scenarios
Any insights or experiences from similar deployments would be greatly appreciated.
#CloudWAF(formerlyIncapsula)------------------------------
Asimit Upadhye
Brennan IT Pty Ltd.
Sydney NSW
------------------------------