Skip to main content
by shop owners, for shop owners

WAF for Magento — SafeLine as the Web Application Firewall

by shop owners for shop owners.

Why a web application firewall sits in front of every Magento shop, how we use SafeLine, and where SSL/TLS is terminated.

A Web Application Firewall (WAF) filters HTTP traffic before it ever reaches Magento. At PARC, SafeLine handles this — the first active line of defence in front of every shop, even before Varnish and Nginx.

What a WAF does — and what it doesn’t

A WAF operates at the application layer (Layer 7). It understands HTTP requests and detects attack patterns a classic network firewall can’t see:

  • SQL injection and cross-site scripting (XSS) in forms, URL parameters and headers
  • Known Magento exploits — many attacks target specific, patched CVEs. The WAF blocks the attack patterns even if a patch is occasionally applied with delay
  • Credential stuffing & brute force on login and admin routes
  • Bad bots & scrapers that harvest catalog data or generate load

To be honest: a WAF is not a replacement for patches. It’s an additional layer that buys time and absorbs broad attack waves — the actual vulnerabilities still need patching.

Why SafeLine

SafeLine is a modern open-source WAF. It fits us for the same reasons as the rest of our stack:

  • Open source — no vendor lock-in, no forced cloud, runs on our own infrastructure in Europe.
  • No traffic through third-party clouds — unlike cloud WAFs (Cloudflare etc.), traffic doesn’t leave our infrastructure. Relevant for data protection and sovereignty.
  • Rule-based + behavioural analysis — signatures for known attacks plus detection of anomalous behaviour.

In our architecture

SafeLine is the outermost active layer in the traffic path:

Internet → SafeLine WAF → OPNsense → Varnish → Nginx → Magento

Clean HTTP traffic is passed through, suspicious traffic is blocked or throttled for verification. The network firewall (OPNsense) works one layer deeper and governs which traffic may flow between the layers at all.

SSL / TLS / HTTPS

As the outermost layer in the traffic path, SafeLine is the natural point for TLS termination: HTTPS traffic from the browser ends here, is decrypted, inspected by the WAF and passed on internally as HTTP to the subsequent layers.

  • HTTPS enforced: all HTTP traffic is redirected to HTTPS (301), no unencrypted access to the shop.
  • Current TLS versions: TLS 1.2 / 1.3, outdated protocols (SSLv3, TLS 1.0/1.1) are disabled.
  • Certificates: Let’s Encrypt with automatic renewal, or your own certificate (e.g. EV/OV) on request.
  • HSTS is set so browsers only ever call the shop over HTTPS.
  • HTTP internally: behind termination, Varnish, Nginx and Magento speak HTTP among themselves — this simplifies caching, debugging and certificate handling without weakening external security.

Rate limiting & DDoS

  • Rate limiting on sensitive routes (login, checkout, search endpoints) against brute force and resource exhaustion.
  • DDoS mitigation at the application layer — Layer 7 floods (e.g. masses of expensive search requests) are detected and throttled before they hit PHP-FPM and the database.
  • Volumetric network attacks (Layer 3/4) are absorbed by the firewall layer or the hosting provider.

Get in touch