Recipe

Recipe: WAF rule writer

Generate custom ModSecurity-style rules from Nimbus traffic fingerprints. Ship detection logic without touching your app server.

Overview

Nimbus captures per-request telemetry — header order, TLS fingerprint, HTTP method, URI pattern, and payload entropy. The rule writer converts these signals into WAF-compatible rules (CRS-style or custom) that you can deploy directly to your edge or reverse proxy.

Fingerprint inputs

JA4 / TLS client hello — cipher suites, extensions, curves
Header order hash — stable across sessions
URI entropy — path depth, query complexity
Body shape — content-type, length bucket, JSON key set

Rule output format

SecRule REQUEST_HEADERS:User-Agent "@rx ^python"
  "id:1001,phase:1,deny,status:403,msg:'Bot UA'"

Output targets ModSecurity / Coraza / custom proxy Lua. Nimbus handles the translation layer — you paste the rule.

Deployment flow

Select a fingerprint profile from the Nimbus dashboard.
Click “Generate WAF rule” — review the preview.
Copy the rule block into your WAF config.
Enable logging-only mode first, then flip to block.

Pro tip

Combine JA4 fingerprint rules with rate-limit buckets. A single TLS fingerprint hitting 50+ endpoints in 10 seconds is almost certainly automated — block before it reaches your origin.

← Recipe: Rate limits Recipe: TLS fingerprint →