networking security

Web Application Firewall (WAF)

waf web-security application-layer owasp
Plain English

A regular firewall checks where traffic is going (IP addresses and ports). A WAF goes deeper: it reads the actual content of web requests and blocks anything that looks like an attack. If someone tries to sneak malicious code into a login form or URL, the WAF catches it before it reaches your web application.

Technical Definition

A Web Application Firewall (WAF) operates at Layer 7 (Application Layer) of the OSI model, inspecting HTTP/HTTPS request and response bodies, headers, query parameters, cookies, and URI paths. Unlike traditional firewalls that filter by IP and port, WAFs understand HTTP semantics and can detect application-level attacks.

WAFs protect against OWASP Top 10 vulnerabilities including:

  • SQL injection (SQLi): malicious SQL in form inputs or query strings
  • Cross-site scripting (XSS): injected JavaScript in user-supplied data
  • Cross-site request forgery (CSRF): forged requests from authenticated sessions
  • Local/Remote File Inclusion (LFI/RFI): path traversal in file parameters
  • HTTP request smuggling: ambiguous Content-Length/Transfer-Encoding headers

Detection modes:

  • Signature-based: pattern matching against known attack signatures (ModSecurity Core Rule Set)
  • Anomaly-based: statistical baseline of normal traffic, flagging deviations
  • Behavioral/ML-based: machine learning models trained on attack patterns

Deployment models:

  • Reverse proxy (inline): WAF sits between clients and the origin server, terminating TLS and inspecting all traffic
  • Cloud-based (CDN-integrated): Cloudflare, AWS WAF, Akamai process traffic at the edge before it reaches your infrastructure
  • Agent-based: software module embedded in the web server (ModSecurity with Apache/Nginx)

AWS WAF rule (CloudFormation snippet) 

SQLiRule:
  Type: AWS::WAFv2::RuleGroup
  Properties:
    Name: block-sqli
    Scope: REGIONAL
    Rules:
      - Name: detect-sqli
        Priority: 1
        Action:
          Block: {}
        Statement:
          SqliMatchStatement:
            FieldToMatch:
              Body: {}
            TextTransformations:
              - Priority: 0
                Type: URL_DECODE
              - Priority: 1
                Type: HTML_ENTITY_DECODE
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName: sqli-blocked
In the Wild

WAFs are standard in any production web stack. Cloud WAFs like Cloudflare, AWS WAF, and Azure Front Door are the fastest to deploy since they operate at the CDN edge. On-premise deployments typically use ModSecurity with the OWASP Core Rule Set (CRS) in front of Nginx or Apache. The key challenge with WAFs is tuning: overly aggressive rules produce false positives that block legitimate users, while overly permissive rules miss attacks. Most teams start in “detect” (log-only) mode, analyze the false positive rate for a few weeks, then switch to “prevent” (block) mode. PCI-DSS requirement 6.6 specifically requires either a WAF or regular code review for public-facing web applications.

← Back to Dictionary