Skip to main content
← Back to Blog

WAF and DDoS Protection for UK eCommerce: What Managed Actually Means

Half of UK businesses faced a cyber attack last year. Find out what managed WAF and DDoS protection actually covers, and the questions to ask before you trust a provider with it.

By Nublue Team

Featured image for WAF and DDoS Protection for UK eCommerce: What Managed Actually Means

More than half of businesses in the UK reported being attacked. The cost of the most disruptive attack for medium-sized and large enterprises was estimated at £40,400 on average. The sum does not include damage to their reputation, lost conversions due to the attack, and hours spent on solving the issue afterward.

These were companies that already had their security systems in place. The issue affected them anyway.

The issue is not the technology. It is the people behind the technology.

What a WAF Actually Does at the Infrastructure Layer

Web Application Firewall monitors all HTTP and HTTPS requests before they even reach your application. Each request is compared to a set of rules related to OWASP Top 10 threats, such as SQL injection, cross-site scripting, request forgery, and so on. Those are responsible for the majority of attacks on web applications.

Placement is much more important for a WAF than most people think. A simple plug-and-play WAF will check traffic after it is delivered to your hosting. An infrastructure WAF placed at the network edge will filter attack traffic before it hits your server.

Why DDoS Mitigation Fails When It's Left to Defaults

The volumetric DDoS attacks, which aim at exhausting the victim's bandwidth or server capacities through huge traffic volumes, are no longer a threat due to the way the Cloudflare network deals with them from their 330+ data centers.

What we have seen in the UK eCommerce DDoS attacks of 2025 is that they are not volumetric attacks.

There was an increase of 420% of DDoS attacks against retail and eCommerce last year. Most of the attacks were at Layer 7, which means that the attackers exploited the application logic on your website rather than exhausting your bandwidth.

Bots load up on highly sought-after goods, keeping the stock reserved for 15-minute slots. Real buyers get the message that the stock is sold out. The bots abandon the shopping cart. You lose conversions, your stock management system goes haywire, and you don’t notice anything since all requests were legitimate.

There is another, less obvious variant. Your systems face a volumetric attack that distracts your security team by creating an availability issue. As your team is dealing with that, your API is under a different, more discreet attack aimed at stealing customer information.

What "Managed" Means in Practice (vs DIY Cloudflare)

When a hosting provider says they offer managed WAF, it is worth understanding what that means operationally. The gap between "managed" and "you have access to a Cloudflare Business account" is significant.

Rule writing and maintenance

Cloudflare ships rule sets as a starting point. Those rules protect against known, documented attack patterns. Your eCommerce platform has specific endpoints, specific traffic patterns, specific user behaviour during sales events. Custom rules need to be written against your application. Someone with security expertise does that work, and revisits it when your platform changes or when new attack patterns emerge targeting your sector.

False positive management

A WAF rule that is too aggressive blocks legitimate traffic. In practice, many teams leave their WAF running in monitor mode, logging what it would block but not actually blocking anything. Tuning it safely requires expertise and time most teams do not have internally.

A WAF in monitor mode isn't protecting your site. It's generating data. That work falls to whoever manages the configuration. Tuning a WAF properly against a live eCommerce site takes time even for people who do it regularly. Most teams don't have that time, or the background to do it without breaking something else.

Incident response

While under attack, the platform by Cloudflare allows you to make changes. You can change rules, create IP blocks, switch on challenge mode. This is the tool. Managed means that a person with knowledge of your platform, baseline traffic, and Cloudflare setup makes those changes in real time. A twelve-minute response is a mere note in the incident report. A two-hour response is a board discussion.

Nublue's Cloudflare partnership is at the enterprise level. Enterprise Cloudflare means you have access to managed rulesets, prioritised support channels, and features not present on Business and Pro levels. Most mid-market eCommerce businesses using Cloudflare DIY are on Business level plans. The security works. The layer behind it is different.

What Should UK eCommerce Websites Expect From a Provider?

Ask any provider four questions before making a commitment. The responses will immediately make clear the difference between a managed service and a hosting solution with Cloudflare activated.

Show me your incident response procedure

Not just an explanation but a walk-through from detection to initial action, change in mitigation, verification, and analysis of the incident. Who was on the call? What is the SLA from the detection of an alert to human interaction and response, not acknowledgment of the alert?

How do you deal with false positives in eCommerce?

Here's where a managed security provider that specialises in eCommerce will distinguish itself from a generic host. There are traffic patterns associated with checkouts, payment gateways, inventory API requests, and marketing automation that may get flagged by generic rules. How does the provider resolve such a false positive issue?

What is the difference between your Cloudflare configuration and a Business plan that I can get myself?

And what if your answer is "we take care of it"? Who is going to take care of it? How would a managed configuration differ from default configurations? An enterprise relationship with rules management is not the same as a Business plan with default settings.

Are you familiar with a Layer 7 attack targeting an eCommerce platform during its peak trading time?

Request a case study. What was the attack signature? How was the attack discovered? What was the time lapse between identification and mitigation of the threat?

The Bottom Line

As per the UK Cyber Security Breaches Survey, 74 percent of large firms experienced a cyber breach or an attack last year. The relevant question in the context of security might no longer be whether or not you are protected. Rather, it is who will you call when you get attacked at 11 PM on a Saturday night.

A Nublue security audit is a complete analysis of your current setup in the context of your risk profile (the platform you use, your traffic pattern, etc.)

Feel free to get in touch for a quote.