Help Center/ Web Application Firewall/ FAQs/ About WAF/ Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication?
Updated on 2025-10-21 GMT+08:00
View PDF
Share

Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication?

Yes. WAF can protect HTTP and HTTPS applications.

  • If a website uses the HTTP Strict Transport Security (HSTS) policy, the client (such as a browser) is forced to use HTTPS to communicate with the website. This reduces the risk of session hijacking. Websites configured with HSTS policy use the HTTPS protocol. So, WAF can protect these websites.
  • Windows New Technology LAN Manager (NTLM) is an authentication method over HTTP. NTLM uses a three-way handshake to authenticate a connection. NTLM authenticates a client (such as a browser) the same way the Windows remote login authentication does.

    WAF can protect applications that use NTLM to authenticate connection between a server and client, such as a browser.

WAF can protect domain names (including wildcard domain names, top-level domain names, and second-level domain names) and IP addresses (including public and private IP addresses). The protected objects vary depending on the access mode.
  • Cloud Mode - CNAME: protects your web applications that are accessible over domain names and are deployed on any clouds or in on-premises data centers.
  • Cloud Mode - Load balancer: protects your web applications that are deployed on Huawei Cloud and accessible over domain names or IP addresses (public or private IP addresses).
  • Dedicated Mode: protects your web applications that are deployed on Huawei Cloud and accessible over domain names or IP addresses (public or private IP addresses).
Parent topic: About WAF