Skip to main content
Xoxoday deploys AWS Web Application Firewall (AWS WAF) at the edge via Amazon CloudFront, providing real-time protection against OWASP Top 10 vulnerabilities, malicious traffic, and DDoS attacks across all customer-facing services.
Xoxoday deploys AWS Web Application Firewall (AWS WAF) as a core layer of its application security architecture. The WAF operates at the edge through Amazon CloudFront, meaning all HTTP and HTTPS traffic destined for Xoxoday’s services is inspected before it reaches backend infrastructure. This edge-based deployment reduces latency impact while ensuring that malicious requests are blocked upstream, well before they interact with application logic or data. AWS WAF protects Xoxoday’s applications against the OWASP Top 10 — the industry-standard classification of the most critical web application security risks. This includes SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and other attack vectors commonly exploited to compromise web applications or extract sensitive data. Protections are applied consistently across all Xoxoday environments, not selectively by product line. Xoxoday uses a combination of AWS Managed Rules and custom rule sets to tailor traffic inspection to its specific application behaviour. AWS Managed Rules provide continuously updated protections maintained by AWS security specialists, while custom rules allow Xoxoday’s security team to enforce policies based on traffic patterns, IP reputation, and request attributes. Together, these layers reduce the application’s exposure surface without interfering with legitimate user activity. For organisations running Xoxoday alongside enterprise HR platforms such as Workday, SAP SuccessFactors, or Darwinbox, the WAF layer provides additional assurance that API calls and integration traffic between systems are validated at the network edge. Notification channels like Slack and Microsoft Teams are similarly protected against request injection or spoofing attempts targeting Xoxoday’s webhook endpoints. Xoxoday’s WAF operates in conjunction with AWS Shield to provide DDoS mitigation at both the network and application layers. AWS Shield Standard is active by default across all CloudFront distributions, and its combination with WAF rules ensures that volumetric floods and application-layer attacks are absorbed before affecting service availability or end-user experience. All web requests passing through the WAF are logged in real time, giving Xoxoday’s security and operations teams full visibility into traffic patterns, blocked requests, and emerging threat signatures. This logging pipeline supports Xoxoday’s compliance posture under ISO 27001 and SOC 2 Type II, where evidence of access controls and active threat detection is a mandatory audit requirement. The result is a defence-in-depth posture that combines automated rule enforcement, managed threat intelligence, and continuous observability across Xoxoday’s global SaaS infrastructure. Learn more: Xoxoday Help Centre — Security Requirement

How does Xoxoday protect against DDoS attacks?

Learn how Xoxoday uses AWS Shield alongside AWS WAF to absorb volumetric and application-layer DDoS threats before they affect service availability.

Is data encrypted in transit and at rest on Xoxoday?

Understand Xoxoday’s encryption standards covering data in transit and at rest across its cloud infrastructure and integrations.