Introduction

When deployed on-premise, it’s best-practice to protect any web-application with a web application firewall. The WAF has to be configured correctly to ensure a problem free run-time of the CoreOne Suite. This document gives you a few best-practice advises on how to configure your WAF.

HTTP/2

Many modern web-browsers have HTTP/2 support. Many WAFs on the other hand have disabled HTTP/2 support by default. If possible, enable HTTP/2 support.

Load Balancing

If load balancing is performed by the WAF or a Load Balancer, please use the health checks documented here.

Performance- and Frontend-Optimization-Features

Many WAFs offer features like “Performance” or “Frontend-Optimization” that when enabled, cache certain files and request on the WAF and try to optimize JS-Files or even inline certain JS-File for optimization. This can lead to unwanted behavior and errors and it’s advised to be disabled.

Sticky Sessions

All CoreOne Suite frontend application rely on sticky sessions to work properly. This means that a user should end up on the same web server within the same session.