Inspect and configure WAF protection for a Power Pages production site.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "manage-firewall" skill from askskill: 1. Download https://raw.githubusercontent.com/microsoft/power-platform-skills/main/plugins/power-pages/skills/manage-firewall/SKILL.md 2. Save it as ~/.claude/skills/manage-firewall/SKILL.md 3. Reload skills and tell me it's ready
Inspect the current WAF configuration for my Power Pages production site, tell me whether protection is enabled, and explain any gaps against common web attacks or bots.
A summary of the current WAF status, key configuration details, and recommendations to enable or strengthen protection.
Please add rate limiting to my Power Pages login page to reduce brute-force risk, and explain the recommended threshold, time window, and scope.
A rate-limit rule plan for the login page, including recommended parameters and the purpose of the protection.
Help me update the WAF rules: block traffic from specific countries and restrict certain admin paths to authorized sources only; also list the new or modified rules.
An updated list of country-blocking and path access control rules, with an explanation of what each rule does.
Plugin check: Run
node "${CLAUDE_PLUGIN_ROOT}/scripts/check-version.js"— if it outputs a message, show it to the user before proceeding.
Configure the firewall for a Power Pages production site. The firewall is only available on production sites and in supported regions — the scripts detect and report eligibility issues. After rule changes, edge propagation takes up to one hour.
Initial request: $ARGUMENTS
.powerpages-site/website.yml stores the website record id, not the portal id. Every script takes --portalId. Resolve once via website.js --websiteId during prerequisites.enable.js and disable.js poll until the status reaches the target value (or timeout). delete-rules.js returns immediately (202) — verify via get-rules.js.B003 means another enable/disable is in flight. Poll status until it settles, then retry.EnabledState: "Disabled" inside RuleGroupOverrides — managed rule fields use PascalCase).set-rules.js is additive / update-only. Send only rules being created or modified. The service merges them; existing rules not in the payload are untouched.delete-rules.js to remove rules. set-rules.js cannot remove. Always use delete-rules.js --names.Created is the only "enabled" state. get-status.js returns value: "Created" when the firewall is enabled and actively filtering (counter-intuitive — the API does NOT use "Enabled"). Any other value (Disabled, None, Enabling, Disabling, Failed) means no active policy exists. MUST call get-status.js first and only invoke get-rules.js when value is Created — otherwise the rules endpoint returns a 500 and the whole firewall section gets skipped in the report.Create tasks in three groups. Mark each in_progress when starting, completed when done.
| Group | When to create | Tasks |
|---|---|---|
| 1 | At start | Check prerequisites |
| 2 | After prerequisites pass | Check firewall state · Choose an action (skip in review mode) |
| 3 | After user confirms an action | Apply the change (skip in review mode OR no change action was chosen) · Summarize and next steps (always) |
Use Glob to find **/powerpages.config.json. If $ARGUMENTS contains --review <out-dir>, remember the output directory — Steps 3–4 are skipped and Step 5 writes JSON only.
Read .powerpages-site/website.yml → extract id field → that is <WEBSITE_ID>.
If missing, the site has not been deployed. Tell the user and recommend /deploy-site. Stop. Do not resolve by name or URL.
Resolve to portalId:
node "${CLAUDE_PLUGIN_ROOT}/scripts/website.js" --websiteId "<WEBSITE_ID>"
Capture Id (portalId), Type, Name, WebsiteUrl. If exit code 2 → sign-in required (pac auth create or az login). If null → site not found in this environment. Stop in either case.
…
Review and fix Power Pages security headers, CSP, CORS, cookies, and embedding settings.
Run an end-to-end Power Pages security review with a consolidated HTML report.
Test deployed Power Pages sites with browsing, crawling, and API verification.
Add a data source or connector to a Power Apps code app.
Add Azure DevOps to Power Apps for work items, bugs, pipelines, and API calls.
Set up Power Platform Pipelines for automated Power Pages deployments.
Query and analyze Imperva Cloud WAF sites, domains, policies, and rules.
Manage Check Point CloudGuard WAF assets, settings, and policies using natural language.
Set up authentication, authorization, and identity providers for Power Pages sites.
Integrate Power Automate cloud flows into Power Pages with generated metadata and code.
Activate and provision a Power Pages site in a Power Platform environment.
Add essential SEO settings to Power Pages sites for better visibility and sharing.