WAF (Web Application Firewall)
Definition
A WAF (Web Application Firewall) is a security solution that filters, monitors, and blocks HTTP/HTTPS traffic to and from a web application. Unlike traditional firewalls (which filter ports and IPs), a WAF inspects application-layer content (HTTP requests) for malicious patterns.
WAFs protect against OWASP Top 10 vulnerabilities including SQL injection, cross-site scripting (XSS), and other web attacks.
WAF Types
| Type |
Deployment |
How it Works |
| Network-based |
On-prem |
Hardware appliance before the web server |
| Cloud-based |
SaaS |
Reverse proxy in the cloud (Cloudflare, AWS WAF) |
| Host-based |
On-server |
Module (ModSecurity) on the web server |
Protection Capabilities
- SQL Injection prevention: Detects and blocks SQL injection patterns
- XSS prevention: Blocks cross-site scripting attempts
- CSRF protection: Validates request origins
- Rate limiting: Prevents brute-force and DDoS attacks
- Bot management: Identifies and blocks malicious bots
- Geo-blocking: Restricts traffic from specific regions
- Custom rules: User-defined rules for application-specific needs
- OWASP Core Rule Set (CRS): Pre-built rule sets for common attacks
WAF Modes
| Mode |
Behavior |
Use Case |
| Detection/Logging |
Monitors and logs blocked requests |
Testing before enforcement |
| Blocking |
Actively blocks malicious requests |
Production protection |
| Whitelist/Allow |
Only allows explicitly permitted traffic |
High-security environments |
Popular WAF Solutions
| Solution |
Type |
Notes |
| Cloudflare WAF |
Cloud |
Free tier available, easy setup |
| AWS WAF |
Cloud |
Integrates with CloudFront, ALB |
| ModSecurity |
Host-based |
Open-source, Apache/Nginx module |
| Imperva WAF |
Cloud/On-prem |
Enterprise-focused |
| F5 BIG-IP ASM |
On-prem |
Enterprise hardware appliance |
| NGINX WAF |
Host-based |
NGINX Plus WAF module |
WAF vs Traditional Firewall
| Feature |
WAF |
Traditional Firewall |
| OSI Layer |
7 (Application) |
3-4 (Network/Transport) |
| Inspects |
HTTP/HTTPS content |
IP addresses, ports, protocols |
| Protects |
Web applications |
Network boundaries |
| Rules |
URL patterns, payloads |
IP/port rules |
| Use case |
SQLi, XSS, CSRF |
Unauthorized access, DDoS |
- Cdn
- Firewall — traditional network-level protection
- Tls — WAF can mitigate application-layer DDoS
- OWASP — WAF rules target OWASP Top 10
References
