Skip to main content Skip to section navigation
U.S. flag

An official website of the United States government

Protections against malicious activity

Applications and services on the internet experience frequent attacks, probes, and other malicious traffic. Threat actors making malicious requests may aim to exploit vulnerabilities, to compromise infrastructure, or to deny service to legitimate clients of your applications.

As a multi-tenant platform, observes a diverse and frequent number of attacks. We are constantly improving our defenses to keep your applications online and unaffected by high-traffic-volume attacks against the platform and our customers. To achieve this, includes multiple layers of defense against different types of attacks.

Blocking known malicious patterns

All inbound traffic to the platform are protected by a set of web application firewall (WAF) rules, which can block any traffic that matches known malicious patterns. The WAF rules for currently include managed rule sets offered by AWS that offer protection against:

  • Cross-site scripting (XSS)
  • Requests for invalid paths or extensions
  • Requests from known or suspected malicious IP ranges
  • Known Java exploits

The WAF rules for also include a custom rule set that blocks:

Protections against traffic surges

Occasionally, sees significant spikes in traffic that may be attempting to overwhelm platform infrastructure via a DDoS attack or may simply be a very large scale probing attack.

In order to mitigate the effect of traffic surges on the platform, includes the following rate limits for requests:

  • Traffic coming through CloudFront is rate limited with a CHALLENGE action to 2000 requests per forwarded IP address per 5 minutes
  • Traffic not coming through CloudFront is rate limited with a CHALLENGE action to 2000 requests per source IP address per 5 minutes

AWS CloudFront & CDNs

Another protection against traffic surges available on the platform is the ability to use Amazon CloudFront as a CDN for your application. Among its other benefits, CloudFront can cache requests based on configurable patterns. Since cached requests will be handled by CloudFront and not reach your application, they offer some protection against floods of traffic.

Reporting impact on legitimate traffic

If you suspect that your traffic is being improperly affected by these protections, please contact us at

Page information

  • Last modified on: 2023-11-14