This is a general topic on Web Login protection, in addition to the 2FA available,
WAF allow admin with own Hosted public solution of Xibo CMS to enhance security for the Xibo CMS in many aspects.
Assuming that CMS uses SSL certificate over 443, still there needs to be distinct understating how the players (any type/platform of player) connect to the server,
as it uses the same port 443 and 9505, however if it has access to different paths that the user login and cross-site browse endpoints,
this allows the CMS admin to set WAF and limit access to the login page for selected public IP, Client certificates ect.
while maintaining “free” access for the players to connect without the need to have static public IP for instance.
is there any good practice for WAF rules (such as cloudflare) for Xibo Public hosted CMS ?