The WAF Dilemma

How I lowered false positives with NGINX App Protect without compromising security.

We are always facing the dilemma "Security vs Usability" in the world of security.

This becomes painfully obvious once you start implementing a WAF. I have now implemented a wide range of WAF security policies, both BigIP AWAF and NAP, and two application functions/features always stand out: file upload and wiki editors.

The core problem with the two scenarios is that they are about handling unstructured data. No matter how hard you try to tune the policy you will have an endless amount of false positives interrupting the end users. If we don't handle this problem correctly we will be forced (aka being demanded by the business) to  disable the WAF policy. And that is a loose-loose situation.

What I have constructed is a way to minimize this problem by differentiate between authenticated and unauthenticated end users. In most situations we can have a higher level of trust in traffic that is authenticated and thus tune down on the security. My design is very binary, if you are authenticated the WAF is turned off, if not it is on. This might not be good enough for you but this is only an example on how to go about the core problem. You can fine-tune the solution to be more granular based on the information available like switching the security policy or other mitigating actions. Just remember that having a simple WAF is always better than not having any at all.

You can find the details, configuration and code here: NGINX App Protect with Authentication | Wiki 

As always feedback is much appreciated!

Updated Aug 27, 2025
Version 2.0

6 Comments