WAF Detection
developer/v1/domain/wafIdentifies if a Web Application Firewall (WAF) is protecting a domain by analyzing HTTP response signatures, and reports an `enforcement_signal` separate from mere presence. Detects 27+ major providers (Cloudflare, AWS WAF, Akamai, Imperva/Incapsula, Sucuri, F5 BIG-IP, Barracuda, Fortinet FortiWeb, Google Cloud Armor, ModSecurity/OWASP CRS, and more). The `cf-mitigated` header — Cloudflare's explicit "this request was challenged/blocked" signal — is treated as the highest-confidence evidence.
What It Does
Makes an HTTP request to the domain and analyzes multiple detection signals: WAF-specific response headers (cf-mitigated, cf-ray, x-sucuri-id, x-akamai-transformed), server header patterns, Set-Cookie signatures (__cf_bm, cf-chl-bypass, incap_ses_, aws-waf-token), response body patterns (block pages, challenge pages), and HTTP status-code semantics (403/406 → WAF block, 429 → rate limit, 1020 → Cloudflare block, 1009 → country block). Returns provider list with confidence + evidence + signature provenance (last_verified_at, source_url), plus an `enforcement_signal` of low/medium/high/verified distinguishing "provider in front of origin" from "provider actively enforcing."
Why It's Useful
WAF detection is essential for security assessments (knowing what defenses are in place), troubleshooting (identifying if a WAF is blocking legitimate traffic), and competitive intelligence (understanding infrastructure choices). For penetration testers, WAF awareness is critical for adjusting testing methodology. For operations teams, knowing the WAF provider helps diagnose false positive blocks on API traffic.
Use Cases
Security Assessment
Identify WAF presence before testing to adjust methodology accordingly.
Plan penetration tests with WAF evasion considerations.
Competitive Analysis
Understand which WAF solutions competitors use for security.
Inform WAF selection based on industry adoption.
Troubleshooting
Identify if a WAF is blocking legitimate requests to APIs or services.
Diagnose connectivity issues caused by WAF blocks.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | Domain or full URL — accepts `example.com` or `https://example.com/path`.Example: https://example.com |
active_probe | string | Optional | Phase 2: set "true" to run an authenticated active probe (5 OWASP CRS canaries — SQLi, XSS, traversal, Shellshock, Acunetix UA). Requires domain ownership: publish DNS TXT `_edgedns-verify.<domain>` with value `verify=<any-token>` OR pass `Authorization: Bearer <audit-token>`. Probes a non-existent canary path so requests never reach origin. Results are never cached.Example: true |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain (bare hostname). |
url | string | Full URL that was fetched, echoing the protocol used in the request. |
detected | boolean | [deprecated] Use `provider_present`. Whether a WAF signature matched. |
provider_present | boolean | At least one provider signature matched (the WAF/edge is in front of the origin). |
enforcement_signal | string | low | medium | high | verified. low=signature match only; medium=challenge cookie observed; high=cf-mitigated on a benign request; verified=active probe blocked ≥3/5 canaries. |
block_category | string | Status-code interpretation for this request: none | waf-block | rate-limit | cloudflare-block | country-block | custom-block. |
status_code | number | null | HTTP status returned for the probe request (used to derive block_category). |
primaryProvider | string | null | Primary WAF provider name, or null if no provider detected |
providers | array | All detected providers with confidence, evidence, last_verified_at, and source_url for provenance. |
providerCount | number | Number of providers detected |
topology | string | null | Phase 2: "single" when one provider is detected, "layered" when ≥2 high-confidence providers fire (e.g., Cloudflare in front of AWS WAF). null when none detected. |
topology_chain | array | Phase 2: ordered list of provider names matching `topology`. Ordering uses the `Via` HTTP header hops when present, otherwise detection-confidence order. |
active_probe | object | null | Phase 2: only populated when ?active_probe=true. Includes ownership_verified/method, per-canary block evidence, and a summary with enforcement: "verified" (≥3/5 blocked), "partial" (1–2 blocked), or "none". When ownership cannot be verified, returns probed:false with a refusal_reason. |
recommendations | array | Security improvement suggestions |
Code Examples
curl "https://api.edgedns.dev/v1/domain/waf" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=https://example.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/waf?domain=https%3A%2F%2Fexample.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/waf',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'https://example.com'
}
)
data = response.json()
print(data)Read the full WAF Detection guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the WAF Detection endpoint live in the playground.