End-to-End Web Security for On-Premises Apps Using AWS WAF and Secret Headers

Shivam (Anirudh) NandyShivam (Anirudh) Nandy
3 min read

In an increasingly hybrid world where businesses host web applications both on the cloud and on-premises, the importance of protecting infrastructure from malicious traffic cannot be overlooked. While AWS provides strong protection mechanisms for resources that run inside it’s cloud, extending these protections to custom, non-AWS origin is equally important.

In this blog we will explore how you can secure any endpoint, including the things which are outside of AWS. We will be taking help of Amazon Web Application Firewall (AWS WAF), Amazon CloudFront, and a very clever use of custom secret headers.

Problem: Securing On-Premises Web Apps

Organisations often host sensitive web applications in on-premises environments. However, traditional setups exposes these apps directly to the face of internet, which eventually makes them vulnerable to a wide range of exploits such as SQL Injection, Cross-Site Scripting (XSS) and bot attacks.

Let’s have a detailed walk through the architecture that solves all of this.

How It Works

This architecture uses Amazon CloudFront as a secure front-door to your application, with AWS WAF enforcing web security rules. A custom secret header is injected by CloudFront and validated by your web application. This approach successfully ensures that only requests that passed through AWS WAF are allowed and direct access to your web application is completely blocked.

Architecture Breakdown: Step By Step

  1. User Requests Enters via CloudFront

Users access your app through a domain (eg. www.example.com). DNS routes the requests to the nearest CloudFront Edge location for low latency acesss.

  1. AWS WAF Inspection

Now, at the edge location, AWS WAF inspects the request using Managed Rule Sets (SQL/XSS Protection) and Custom Rules which are tailored to your application. So in this stage, Malicious traffic is blocked immediately and logs are stored for analysis.

  1. Injecting the Secret Header

Once a request is deemed safe. CloudFront adds a secret custom header and forwards it to your backend, either in cloud or on-premises.

  1. Backend Validation

Your backend should be configured to reject any request that doesn’t include the secret header. This ensures all legitimate traffic must flow through CloudFront and AWS WAF.

Understanding Secret Header Management

Note: Secrets should never be static, rotation is a vital key for security. Here is how we can automate this entire layer.

  1. AWS Step Functions Workflow

A scheduled workflow triggers a header rotation process that Generates a new secret using AWS Lambda and Stores it in AWS System Manager Parameter Store.

  1. Header Deployment

Using AWS System Manager (SSM) and SSM Agent, the new header is deployed to all web servers using Automation Runbooks and applied using rolling deployments with error controls. Once everything is confirmed, CloudFront is updated with the new header.

  1. Remove Old Secret

After full propagation, the previous secret is automatically removed from all systems which ensures zero overlap and no backdoors to exploit.

Defence In Homeground: Firewall Layer

Please make sure that your on-premises firewall only allows inbound traffic from CloudFront IPs to prevent bypassing CloudFront. These IPs are fetched programatically from https://ip-ranges.amazonaws.com/ip-ranges.json and kept up to date.

Conclusion

Securing custom origins is not hard. With this AWS architecture, you get enterprise-grade protection, secret rotation, and global edge caching all in one seamless flow. Whether you're running applications in the cloud or on-premise, security should be major priority.

References

0
Subscribe to my newsletter

Read articles from Shivam (Anirudh) Nandy directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSaws networkingCloud Computingcloud securitywafaws lambdacloudfrontAWS Step FunctionsAmazon Web ServicesCloudDevops

Written by

Shivam (Anirudh) Nandy
Shivam (Anirudh) Nandy

I break things. A lot. But I fix them even better. I live and breathe open source, especially when it comes to scaling with Kubernetes, pushing the frontiers of Artificial Intelligence, and getting my hands dirty with system-level programming. My journey started deep in Theoretical and Advanced Mathematical Physics, because I couldn’t resist understanding what really happens inside the "brain" of a neural network — spoiler: it’s just math, but it feels like magic. Along the way, I developed an unhealthy obsession with database optimization, squeezing performance like my life depends on it. And if there’s one language that truly speaks to my soul, it’s RUSSSSTTTT — yes, I scream it like that because I love it that much. And of course, I fuel all of this with loud, unapologetic doses of Bengali rock music. It's the perfect background to break things fast, build them better, and maybe scare my neighbors a little.