Web Security

WAF (Web Application Firewall)

About 5 min read

Last updated: 2026-03-05

What Is WAF

A WAF (Web Application Firewall) is a security product that inspects HTTP/HTTPS traffic to web applications and detects and blocks malicious requests. While traditional firewalls control IP addresses and port numbers at the network layer (L3/L4), a WAF analyzes the contents of HTTP requests at the application layer (L7).

It can defend against web application-specific attacks such as XSS, SQL injection, CSRF, and directory traversal. Many of the vulnerabilities listed in the OWASP Top 10 can be mitigated by a WAF. However, a WAF is only a "mitigation measure" and cannot replace fixing the vulnerabilities in the application itself.

WAF Detection Methods

  • Signature-based (blacklist approach): Detects by matching against known attack patterns (signatures). Detects string patterns like SELECT * FROM or <script> in requests. Has high detection rates for known attacks but is weak against unknown attacks or obfuscation techniques that evade signatures.
  • Whitelist approach: Defines patterns for normal requests and blocks everything else. Can handle unknown attacks, but generates many false positives if normal request definitions are incomplete. Effective when input formats are strictly defined, such as with APIs.
  • Scoring approach: Adds violation scores across multiple rules and blocks requests that exceed a threshold. Flexibly handles gray-area attacks that are difficult to judge with a single rule. ModSecurity's Anomaly Scoring Mode uses this approach.
  • Machine learning-based: Learns normal traffic patterns and detects requests that deviate as anomalies. Can potentially handle unknown attacks, but depends on training data quality and is difficult to tune for false positives.

WAF Deployment Models

WAFs are classified into three deployment models.

  • Cloud WAF: Routes traffic through the cloud WAF by changing DNS. AWS WAF, Cloudflare WAF, and Akamai are representative examples. Easy to deploy, and DDoS attack protection is often integrated. Low initial cost with monthly billing.
  • Appliance-based: Dedicated hardware installed on the network. Offers high throughput and fine-grained customization, but has high initial costs and requires specialized expertise to operate. Suited for large enterprises.
  • Software-based (host-based): Installed as a module on the web server. ModSecurity is a representative example. Free and open source, but requires high expertise for rule creation and tuning.

Cloud WAFs are suitable for small sites, while appliance-based WAFs are suited for large environments requiring fine-grained control. In AWS environments, AWS WAF can be integrated with CloudFront or ALB without infrastructure changes.

Practical WAF Operation Tips

A WAF is not "deploy and forget" - continuous tuning is essential.

  • False positive management: The biggest operational challenge with WAFs is false positives. Blocking legitimate requests directly harms user experience. During initial deployment, operate in detection mode (logging only) to understand false positive patterns before switching to blocking mode.
  • Regular rule updates: Attack techniques evolve daily, so even when using managed rule sets, regularly verify the addition of new rules and the effectiveness of existing ones.
  • Log analysis: WAF logs are essential for security incident investigation. Analyze patterns of blocked requests to understand attack trends.
  • Combined with CSP: While WAF filters requests on the server side, CSP restricts script execution on the browser side. Combining both achieves defense in depth against XSS.

A WAF does not fundamentally fix application vulnerabilities. Rather than relying solely on a WAF, it is important to combine it with application-level countermeasures such as secure coding, input validation, and parameterized queries.

To learn more about this topic, see Firewall Basics: Your First Line of Network Defense.

Common Misconceptions

Deploying a WAF completes web application vulnerability countermeasures
A WAF mitigates known attack patterns, but the application's vulnerabilities remain. Techniques to bypass WAF rules exist, so fundamental vulnerability fixes and secure coding are essential.
A WAF can prevent all web attacks
Business logic abuse (unauthorized discounts, privilege escalation, etc.) and credential theft (phishing) - attacks indistinguishable from normal requests - cannot be detected by a WAF. WAFs excel at detecting syntactically abnormal requests like SQL injection and XSS.

Cloud WAF vs. Appliance WAF Comparison

Cloud WAF

Deployable via DNS changes. Low initial cost with integrated DDoS protection. Low operational burden with managed rules. However, customization flexibility depends on the vendor, and costs may increase with traffic-based billing.

Appliance WAF

Installed within the company's network. Offers high throughput and fine-grained rule customization. However, initial costs are high, and rule creation and tuning require specialized expertise. Hardware maintenance and updates must also be handled in-house.

Share

Related Terms

XSS (Cross-Site Scripting) An attack that exploits vulnerabilities in web applications to inject and execut… SQL Injection An attack that inserts malicious SQL statements into a web application's input f… DDoS Attack A Distributed Denial-of-Service attack that floods a target server or network wi… Firewall A security mechanism placed at network boundaries that inspects and controls inc… CSP (Content Security Policy) An HTTP response header that provides a powerful mechanism for restricting the s… CSRF (Cross-Site Request Forgery) An attack that tricks a user's browser into sending unintended HTTP requests to …

Related Articles

Firewall Basics: Your First Line of Network Defense Understand how firewalls work, the different types available, and practical network defense strategi… API Security Basics: Protecting the Backend of Web Services Learn how APIs can be exploited and the fundamental security measures like authentication, authoriza… What Is a DDoS Attack - Types, Botnets, and Defense Methods Learn about the three types of DDoS attacks (volumetric, protocol, application layer), how botnets w…
← Glossary