Back to Product Features

WAF Waiting Room | NOC.org Support

The WAF Waiting Room is a NOC feature that queues visitors when your site experiences traffic spikes that could overwhelm your origin server. Instead of visitors receiving error pages or your server crashing under load, the waiting room holds excess visitors in a queue and releases them to your site in controlled batches as capacity becomes available.

Why Use a Waiting Room

Traffic spikes can happen for many reasons — product launches, flash sales, viral social media posts, breaking news, or scheduled events like ticket releases. When the number of concurrent visitors exceeds what your origin server can handle, the result is typically slow response times, 502/503 errors, or a complete server crash.

A waiting room prevents this by acting as a buffer between the CDN edge and your origin. It ensures that only a manageable number of visitors reach your server at any given time, while others wait in a branded queue page until their turn arrives.

How It Works

The waiting room operates at the WAF layer, which sits between the CDN edge and your origin server:

  1. Threshold monitoring: The WAF tracks the number of active sessions reaching your origin server. When the count exceeds your configured threshold, the waiting room activates.
  2. Queue placement: New visitors who arrive after the threshold is reached are placed in a first-in-first-out (FIFO) queue. They see a waiting room page that displays their position in the queue and an estimated wait time.
  3. Controlled release: As existing visitors complete their sessions or leave your site, the waiting room releases queued visitors in order. The release rate is controlled to prevent re-triggering the threshold.
  4. Session tracking: Visitors who pass through the waiting room receive a session cookie. This ensures they are not sent back to the queue if they navigate between pages on your site during their session.

Configuring the Waiting Room

The waiting room is configured through the NOC dashboard under your site's WAF settings:

  • Active session limit: Set the maximum number of concurrent active sessions allowed on your origin. This should match your server's capacity. For example, if your server handles 500 concurrent users comfortably, set the limit to 500.
  • Session duration: Define how long a visitor's session lasts before it expires and frees a slot. Default is 30 minutes of inactivity.
  • Queue page: Customize the waiting room page that queued visitors see. You can set a custom message, estimated wait time display, and auto-refresh interval.
  • Paths to protect: Apply the waiting room to specific URL paths (e.g., /checkout, /tickets) or to your entire site. Protecting only critical paths lets general visitors browse freely while controlling access to high-demand pages.
  • Bypass rules: Allow specific IP addresses, user agents, or authenticated users to bypass the waiting room. This is useful for administrators, monitoring bots, or API clients that should not be queued.

Waiting Room Page

The waiting room page is served directly from the NOC edge, so it does not add any load to your origin server. The default waiting room page includes:

  • A message explaining that the site is experiencing high traffic.
  • The visitor's position in the queue.
  • An estimated wait time based on current session turnover rate.
  • Automatic page refresh to check queue status without requiring the visitor to manually reload.

You can customize the waiting room page content and styling through the NOC dashboard to match your site's branding.

Best Practices

  • Set realistic thresholds: Test your origin server's capacity before setting the active session limit. Setting it too high defeats the purpose. Setting it too low creates unnecessary queuing.
  • Pre-activate for scheduled events: If you know a traffic spike is coming (product launch, sale), enable the waiting room before the event starts rather than waiting for the spike to trigger issues.
  • Protect critical paths only: For e-commerce sites, apply the waiting room to checkout and cart pages rather than the entire site. Let visitors browse products freely and only queue them when they attempt to complete a purchase.
  • Monitor queue metrics: Use the NOC dashboard to track queue length, wait times, and session turnover during events. This data helps you optimize thresholds for future events.
  • Combine with CDN caching: Ensure your static assets are cached by the CDN so that queued visitors do not create additional origin load. Only dynamic, uncacheable requests should count toward your session limit.

Improve Your Websites Speed and Security

14 days free trial. No credit card required.

Get Started