I think the desire for some magic device that auto mitigates issues is somewhat misguided in the Discourse setup. We have a bounty program, we patch issues in Discourse within hours of when they are reported. Sites run tests-passed by default which in today’s case contains commits from today.
Sure if you are running software that was exploited years ago and you have no freedom to upgrade cause … reasons… a WAF makes sense cause it could save you. But in the case of Discourse I think it is at best misguided.