What is a Web Application Firewall (WAF)?

by Hannah Grace Holladay / August 29th, 2022

A web application firewall (WAF) sits between web applications and the internet. It monitors inbound traffic and filters malicious requests before they reach the potentially vulnerable application. This article explores WAFs, how they work, the most popular and effective examples, and why you should consider using a WAF to protect your site or app from cybercriminals.

Does Your Web App Need a WAF?

Sooner or later, every website, app, and API is targeted by malicious bots or their cybercriminal operators. If it’s online, it’ll be attacked. Vulnerabilities will be exploited, data will be stolen, web pages will be defaced, and malware will be injected. A web application firewall (WAF) works alongside other security measures to defeat bad actors and keep sites and apps safe. 

If you don’t use a WAF, you rely on the web app to repel attacks. That may work in the short term, but a WAF provides an additional layer of defense that can be dynamically updated to protect against emerging threats. WAFs are an effective and valuable defense against the most common attacks against web apps and APIs.

How Does a Web Application Firewall Work?

A WAF is a reverse proxy. It intercepts inbound HTTP requests and inspects them for patterns that indicate an attack. If an attack is detected, the request is dropped before it reaches the web app. Legitimate requests are passed through the WAF to the app, which responds as usual. 

You can think of a WAF as a filter. It absorbs all incoming web traffic and removes any that could be harmful, providing the app with a stream of pre-vetted, legitimate requests. 

One of the main advantages of a WAF is that it can be updated quickly in response to new threats. Consider what happens when a challenging zero-day vulnerability is discovered in a web app. It might not be possible to release a patch immediately, and even if it were, there is a delay between patch release and updating, especially for apps with many instances. 

WAF users can, however, quickly add new rules to filter inbound requests that could exploit the unpatched vulnerability. This ability allows businesses to keep web app users and their data safe with greater efficiency and flexibility. 

Does a WAF Replace a Network Layer Firewall?

WAFs complement network firewalls and provide additional protection but do not replace traditional network layer firewalls. A web application firewall works at the application layer, Layer 7 in the OSI model. It intercepts HTTP data but cannot monitor and filter data protocols used at lower levels. 

In contrast, firewalls such as iptables typically operate at the network and session layers (Layers 3 and 4). They work with low-level protocols such as TCP and UDP, but not higher-level protocols such as HTTP. 

Some modern firewalls cover a broader range. For example, AWS Network Firewall can monitor and control Layer 3–7 network traffic, combining the functionality of a network layer firewall and a WAF. However, users should verify the specific capabilities of each firewall before relying on it to protect their web applications. 

Threats Web Application Firewalls Prevent

Web application firewalls protect against many different types of attacks commonly used against web apps. These include attacks that traditional network firewalls cannot intercept, including:

  • Cross-site scripting (XSS): malicious code injection into web pages.
  • Cross-site forgery: an attack that forces an authenticated user to carry out unwanted actions.
  • SQL injection: the injection of SQL code, which is then executed by the site’s database.
  • Cookie poisoning: session hijacking using forged or intercepted cookies.

Many WAFs also provide some protection against distributed denial of service (DDoS) attacks. Because all traffic goes through the WAF first, it can be rate-limited and malicious floods of traffic can be filtered. However, a WAF is unlikely to protect a web app against a large-scale volumetric attack as effectively as a dedicated DDoS mitigation service

Additionally, some WAFs can be used to implement protections usually carried out at the network layer. Many WAFs allow users to upload lists of IP addresses to block. They can also be used to block traffic sources that are considered likely to cause issues. For example, AWS WAF curates a managed set of rules for blocking traffic from TOR and VPNs, and other WAFs offer similar functionality. 

What Are the Types of Web Application Firewall?

All web application firewalls serve the same fundamental role, but there are alternative hosting and operational models. These can be divided into three broad categories:

  • Network-based WAFs are usually hosted on dedicated hardware in data centers close to the application they protect. Network-based WAFs are often used to protect large, high-traffic applications where low-latency connectivity is a priority. They are the most expensive WAF type and the most complex to manage and maintain.
  • Host-based WAFs are integrated into the software they protect and may be hosted on the same hardware. For example, many WordPress plugins integrate a host-based web application firewall with the CMS. This approach has the benefit of flexibility and ease of use, but it can result in reduced performance if the host lacks the resources to run the WAF and the app at peak load times.
  • Cloud WAFs are managed services hosted on cloud platforms. They are the easiest to use and manage. The cloud provider manages the software and underlying hardware. They are also responsible for deploying rules and policies for filtering threats, including updates for emerging threats. Cloud WAFs provide a reasonable level of customization, performance, and uptime, but they may not be the best option for businesses that need more control over their firewall.

WAFs may also be categorized by whether they operate on a blocklist or allowlist model. A blocklist selectively disallows connections that match an undesirable pattern, whereas an allowlist permits connections that conform to a desirable pattern. 

There are advantages to both approaches. Blocklists allow security professionals to target known malicious connections. In contrast, allowlists can block all connections that do not match a desirable profile. Allowlists are effective and require less maintenance, but they may not be suitable for applications intended to be accessible to as many users as possible.

Popular Web Application Firewalls

There are dozens of WAFs to choose from. Although they offer similar core functionality, they differ in focus and features. To conclude this article, we’ll look at four widely used WAFs.


ModSecurity, or ModSec, is an open-source WAF initially developed as a module for the Apache web server. It subsequently evolved into a cross-platform WAF for Apache, Nginx, and Microsoft Internet Information Services (IIS). 

ModSecurity secures web apps using a set of rules to determine which connections to accept and which to block. These can be custom-made by the user, but there are many pre-made rule sets. One of the most widely used is the OWASP ModSecurity Core Rule Set, which detects the ten most widespread attacks, including SQL injection, cross-site scripting, and local file inclusion. 


AWS WAF is a managed cloud WAF provided by Amazon Web Services. It is easy to configure and deploy, and users pay only for the cloud compute resources they consume. Users can create their own firewall rules, but AWS also provides Managed Rules, pre-configured rule sets that cover a specific range of threats. Basic managed rules sets are free, and more specialized sets are made available on the AWS Marketplace, including an OWASP Top Ten set. 

In addition to standard WAF features, AWS WAF also provides bot control functionality, which allows users to monitor bot traffic and block or rate limit traffic from bots that use excessive traffic. 

Watch Introduction to AWS WAF and Shield and Protecting API Gateways with WAF Rules to learn more about AWS WAF. 

Azure Web Application Firewall

Azure Web Application Firewall is a cloud WAF offered by Microsoft’s Azure cloud platform. It provides much the same functionality as AWS WAF, including managed rulesets that protect against the OWASP Top Ten and other common threats. 

Cloudflare WAF

Cloudflare WAF is part of Cloudflare’s range of CDN and security services. It is a cloud WAF integrated with Cloudflare’s global network, providing managed and custom rules, protections based on machine learning, and rapid deployment of rules to protect from emerging zero-day vulnerability threats. 

Web Application Security and Compliance with KirkpatrickPrice

A web application firewall is one component of an effective security and compliance program. KirkpatrickPrice provides a range of services to help businesses secure their infrastructure and comply with regulatory frameworks and standards, including compliance audits, penetration testing, and remote access security testing.