Featured image of post BunnyShield Review: 3 Things Need Improvement
Application Security

BunnyShield Review: 3 Things Need Improvement

I tested BunnyShield by Bunny.net and found three things that need attention: False positives, bot management & observability.

Bunny.net launched the BunnyShield Preview earlier this year. It’s an integrated Web Application Firewall (WAF), DDoS mitigation and rate-limiting controls solution all bundled into their Content Delivery Network (CDN) platform. I’ve been testing it on a few real-world projects over the last few weeks to see how ready it is and how easy it is to use.

Spoiler: BunnyShield is really easy to use and makes the most of your first experience. It’s a solid start for an accessible WAF, but there are a few key improvements needed to make it a production-ready web security product.

Here’s a quick rundown of the things I noticed and the problems I came across. It’s meant to show what’s working well now and where BunnyShield could be improved before it leaves the “Preview” stage.

What BunnyShield Gets Right

Initial User Experience & Setup Simplicity

BunnyShield carries on the tradition of Bunny.net of offering clean and usable interfaces. As always, you only need to do the bare minimum to get things done. It was easy enough to enable the service and set up firewall or rate limit rules. For smaller sites and teams without dedicated security personnel, this kind of usability is invaluable.

Default Security Coverage

The out-of-the-box rules catalogue seems pretty reasonable to me, catching common threats without overwhelming users with complex tuning. For most users, this makes BunnyShield a no-brainer for basic web protection.

What Needs Improvement

Certificate Renewal Blocked by WAF

One of the most critical issues I encountered was BunnyShield blocking HTTP-01 challenges from Let’s Encrypt. This sometimes seems to stop the automatic TLS certificate renewals through Bunny’s own certificate mechanism, which could cause service disruptions if not caught in time.

The good news is that Bunny’s support team have already said they know about the problem and are working on a fix. For now, users relying on HTTP-01 validation (e.g. by using the built-in BunnyCDN certificate management) should proceed with caution or disable the WAF.

No Bot Allowlisting for Good Bots like Ahrefs or Semrush

At the moment, BunnyShield doesn’t offer any particular bot management solution. This means there’s no way to tell the difference between harmful bots and legit crawlers (like Ahrefs, Semrush, and other SEO tools). I saw this causing these “good bots” to be blocked, which harmed my SEO audits and (potentially) visibility.

It’d be great to add a bot management layer or at least some simple allowlisting functionality for expected crawlers. The opposite is also true: I’m sure some people would love to trap rogue or misbehaving AI scraper bots in a maze.

Overall, I’d love to see Bunny hop on board with the HTTP Message Signatures bandwagon that Cloudflare recently kicked off.

Limited Logging and Visibility into WAF Events

There’s a clear difference between the 403 traffic logs and the WAF event logs. I can see that requests were blocked, but there’s no clear traceability to what specific WAF rule was triggered and why. This makes it tricky to debug false positives or fine-tune firewall behaviour, especially when you’re dealing with a lot of data.

Missing WAF Error Code Lookup Tool

When BunnyShield blocks a request, it returns a 403 with a unique deny code (e.g. WAF403-XXXX). Unfortunately, there doesn’t seem to be a lookup tool for these codes at the moment. If we could get a dashboard-integrated lookup, that’d make a big difference to WAF rule debugging.

Final Thoughts: Promising Foundations, But Still in Beta

All in all, the BunnyShield Preview is doing really well, especially when it comes to how easy it is to use. It’s accessible, integrated tightly into the Bunny.net platform, and it’s already solving basic security needs for many developers.

That said, there are a few key things that need to be sorted for BunnyShield to become a great product. For example, observability, bot management and configurability need to be improved.

I’m excited to see how this product develops, and I’ll definitely be keeping an eye on the next updates.

Got Feedback or Similar Experiences?

Have you had a chance to try out BunnyShield yet? Have you had the same problems? Have you found any workarounds yet? I’d love to hear about your experience โ€“ just send me a message on Bluesky or Mastodon.

Let’s help make BunnyShield a secure, modern WAF that everyone can use.

Brennenstuhl on Security
Made and hosted in the EU ๐Ÿ‡ช๐Ÿ‡บ ยท Powered by Hugo & Stack
Imprint ยท Privacy