This page allows you to configure granular security settings for this particular domain or sub-domain:

Security Level

  • High – Default for normal operation, normal security checks and virtual patching in place.
  • Paranoid – Maximum security level that may have some performance and functionality impact, useful when a domain is under active attack.


Configures the firewall to force HTTP security settings on all traffic between the Website Firewall Platform and the Internet. This can be useful to apply HTTPS encryption to a domain or sub-domain without updating webserver configuration:

  • Force HTTPS – Most secure
  • Force HTTP – Insecure but maintains interoperability with some legacy browsers
  • No preference – Respect the initial protocol used by traffic

Behind CDN

Content Delivery Networks (CDN) cache bandwidth intensive content at locations that are closer to website visitors, allowing them to have a faster and more effective user experience.

This option allows users to maintain acceleration via an existing CDN provider, opt to use the Sucuri Anycast CDN or prefer no CDN acceleration.

Block PHP Upload

Allowing PHP uploads can assist attackers with adding executable code to your website, which can then be used to attack visitors or host malware. Disabling PHP uploads can help mitigate this.

Cache Mode

Allows user to configure the level of caching performed by the CDN.

  • Enabled / Do Caching – Default and recommended settings.
  • Minimal Caching – Very short term caching.
  • Site Caching – Cache using site headers only.
  • No Caching – No CDN Acceleration.
Note: The following file extensions are cached regardless of the caching level js, css, png, jpg, swf, jpeg, svg, gif, ico, txt, mp4, mp3, pdf, woff, ttf, thumb.

Maximum Upload Size

Allows users to configure maximum permitted file upload sizes in megabytes. Useful for restricting a user upload capability and preserve resources. Options from 5 to 400 Mb.

HTTP Flood Protection

Enables JavaScript challenges to defeat DDoS traffic sent by typical botnets. Very useful when under active DDoS attack, but may cause compatibility issues when active. We recommend that this setting is only enabled when under active DDoS attack.

Force Sec Headers

Adds numerous security headers to your site in order to increase protection against cross-site scripting and clickjacking attacks, but will break iframe integrations.

Aggressive Bot Filter

This will block access for invalid user agents, empty agents and agents starting with PHP/, but may impact on browser interoperability in a small number of cases

Detect adv evasion

This will enable advanced WAF evasion detection settings to maximise the accuracy and effectiveness of your Website Firewall Platform, but will prevent access to non-ascii URLs such as those containing Cyrillic or Japanese characters.


Enables HTTP2 support for your domain, bringing performance and security improvements. May reduce interoperability with some legacy browsers.


Enables and disables Brotli support. Recommended if your webserver supports Brotli.

Comment Access

Allows you to Block XMLRPC, Comments and TrackBacks on your website, available options are;

  • Open - Allows XMLRPC and Comments to be posted.
  • Restricted - Disables XMLRPC, Comments and TrackBacks.

Origin Protocol Port

Allows you to configure the HTTP protocol used to communicate between the Website Firewall Platform and your webserver. If you webserver supports HTTPS, we recommend this as the default setting.