bunny.net — Security¶
OWNER: karel
ALSO_USED_BY: stef (DNS/certs)
LAST_VERIFIED: 2026-03-26
GE_STACK_VERSION: bunnynet Terraform provider (BunnyWay/bunnynet) latest
Overview¶
bunny.net security covers Bunny Shield (WAF), DDoS protection, bot detection,
token authentication, and IP filtering. All public-facing GE services run behind
Bunny Shield. This is a compliance requirement (ISO 27001, SOC 2 Type II).
Bunny Shield (WAF)¶
Bunny Shield is bunny.net's integrated web application firewall.
It filters, monitors, and blocks malicious HTTP traffic.
Enabling Shield¶
resource "bunnynet_pullzone" "example" {
# ...
shield_ddos_protection_enabled = true
shield_ddos_protection_type = 1 # Advanced
waf_enabled = true
waf_disable_rule_groups = [] # Enable all rule groups
waf_log_only_mode = false # Enforce, not just log
}
CHECK: Shield is enabled on ALL production pull zones
CHECK: waf_log_only_mode = false in production — enforce, do not just log
CHECK: waf_log_only_mode = true during initial onboarding (learning mode)
IF: enabling Shield on a new pull zone
THEN: start in learning mode for 48-72 hours
THEN: review logs for false positives
THEN: switch to enforcement mode
WAF Rule Groups¶
Bunny Shield includes predefined rule groups covering OWASP Top 10:
| Rule Group | Protects Against |
|---|---|
| SQL Injection | Query parameter and form injection attacks |
| XSS | Cross-site scripting in user content |
| RFI/LFI | Remote and local file inclusion |
| CSRF | Cross-site request forgery |
| Path Traversal | Directory traversal via ../ patterns |
| Protocol Attacks | HTTP request smuggling, header injection |
CHECK: all rule groups enabled in production
IF: specific rule causes false positives
THEN: disable that specific rule, not the entire group
THEN: document the exception in the pull zone's Terraform config
AI-Powered WAF¶
Bunny Shield Advanced ($9.50/month) includes AI-powered threat detection:
- Zero-day exploit detection via machine learning
- Automatic rule suggestions based on traffic patterns
- Anomaly detection with reduced false positives
- Real-time rule push for emerging threats
CHECK: Advanced plan enabled for all production pull zones
CHECK: Basic (free) plan acceptable for dev/staging
DDoS Protection¶
bunny.net provides DDoS protection at both network and application layers.
150+ Tbps network capacity with 119 global scrubbing centres.
Network Layer (L3/L4)¶
- Always on — no configuration needed
- Volumetric attack absorption
- SYN flood mitigation
- UDP amplification filtering
Application Layer (L7)¶
- Rate limiting per IP/fingerprint
- Challenge pages for suspicious traffic
- Geographic filtering
resource "bunnynet_pullzone" "example" {
# ...
shield_ddos_protection_enabled = true
# Rate limiting
request_limit = 0 # 0 = unlimited (bunny.net auto-manages)
limit_rate_after = 0
limit_rate_per_second = 0
}
IF: under active DDoS attack
THEN: bunny.net auto-mitigates — no manual action needed
THEN: monitor via bunny.net dashboard for attack metrics
THEN: notify karel (CDN owner) for post-incident review
Bot Detection¶
Bunny Shield detects and blocks malicious bots using behavioural fingerprinting.
Legitimate crawlers (Googlebot, Bingbot) are whitelisted automatically.
IF: bot traffic is high but not blocked
THEN: check Shield is in enforcement mode (not learning mode)
THEN: review bot detection sensitivity settings
CHECK: no CAPTCHAs needed — bunny.net uses transparent fingerprinting
CHECK: legitimate crawlers are not blocked (verify via search console)
Token Authentication¶
For protected content (downloads, premium assets), bunny.net supports
URL token authentication.
resource "bunnynet_pullzone" "example" {
# ...
enable_token_authentication = true
token_authentication_key = var.cdn_token_key # From Vault
}
Token URLs are generated server-side:
CHECK: token key comes from Vault, never hardcoded
CHECK: token expiry is short-lived (1 hour max for downloads)
CHECK: token includes path restriction to prevent reuse on other URLs
IP Filtering¶
Block or allow specific IPs and ranges:
IF: blocking TOR/VPN/datacenter IPs
THEN: use Bunny Shield's built-in IP reputation filtering
THEN: do not maintain manual blocklists — they go stale
CHECK: IP blocklists are managed via Terraform, not dashboard
CHECK: blocking rules are reviewed quarterly for false positives
TLS Configuration¶
resource "bunnynet_pullzone" "example" {
# ...
enable_tls_1_3 = true
# TLS 1.0 and 1.1 are disabled by default
}
CHECK: TLS 1.3 enabled on all pull zones
CHECK: TLS 1.0 and 1.1 are NOT enabled
CHECK: free automatic SSL certificates via bunny.net Let's Encrypt integration
IF: client requires custom SSL certificate
THEN: upload via bunny.net API or Terraform
THEN: set auto-renewal reminders (90-day Let's Encrypt, annual for purchased certs)
Security Headers¶
bunny.net can inject security headers at the edge:
resource "bunnynet_pullzone_edgerule" "security_headers" {
pullzone_id = bunnynet_pullzone.example.id
description = "Security headers"
enabled = true
action_type = 15 # Set response header
action_parameter_1 = "X-Frame-Options"
action_parameter_2 = "DENY"
trigger_type = 0 # Always
}
CHECK: security headers are set at both origin (Next.js) AND edge (bunny.net)
CHECK: edge headers supplement, not replace, origin headers
WAF Logging¶
WAF logs show blocked requests, triggered rules, and traffic patterns.
Essential for tuning rules and investigating incidents.
IF: investigating a security incident
THEN: check WAF logs for the affected pull zone
THEN: filter by time range, rule group, and source IP
THEN: correlate with origin access logs
CHECK: WAF logging is enabled on all production pull zones
CHECK: logs retained for minimum 30 days (compliance requirement)
Cross-References¶
READ_ALSO: wiki/docs/stack/bunnynet/index.md
READ_ALSO: wiki/docs/stack/bunnynet/cdn.md
READ_ALSO: wiki/docs/stack/bunnynet/edge.md
READ_ALSO: wiki/docs/stack/bunnynet/pitfalls.md
READ_ALSO: wiki/docs/stack/bunnynet/checklist.md
READ_ALSO: wiki/docs/stack/kubernetes/security.md