WAF: Web Application Firewall

The first line of defence against automated attacks, injections and malicious traffic

9 min

A Web Application Firewall (WAF) is a protection layer that sits between users on the internet and your web application. It analyses HTTP/HTTPS traffic in real time and blocks requests that match known attack patterns: SQL injection, cross-site scripting (XSS), malicious bots and denial-of-service (DDoS) attacks.

Unlike a traditional network firewall that operates at layers 3-4 of the OSI model, a WAF operates at layer 7 (application), allowing it to inspect the content of HTTP requests and make decisions based on application logic, not just ports and IPs.

How does a WAF work?

A WAF analyses each incoming HTTP request by comparing it against a set of rules. These rules can be predefined (based on known attack signatures), custom (written by your team for your specific application) or vendor-managed with automatic updates.

Modern WAFs combine signature-based detection with behavioural analysis and machine learning. This allows them to identify not only known attacks but also anomalous patterns that could indicate a zero-day attack or automated abuse.

  • Positive model (allowlist): only permits traffic that matches patterns known to be legitimate
  • Negative model (denylist): blocks traffic that matches known attack signatures
  • Hybrid model: combines both approaches to balance security and availability

WAF types: cloud, appliance and host-based

There are three main categories of WAF, each with different deployment models, costs and operational complexity.

  • Cloud WAF (SaaS): deployed as a reverse proxy with no changes to your infrastructure. Cloudflare, AWS WAF, Akamai and Sucuri are the main players. The easiest to implement and scale.
  • Appliance WAF (hardware/virtual): installed in your data centre as a physical or virtual device. Greater control but higher cost and complexity. F5, Fortinet and Barracuda are leading vendors.
  • Host-based WAF: a module integrated into the web server (ModSecurity for Apache/Nginx). No licensing cost but requires expertise to configure and maintain rules.

Key providers

The choice of provider depends on your current infrastructure, budget and the level of customisation required. For most websites, a cloud WAF offers the best balance of protection, ease of use and cost.

  • Cloudflare: free plan with basic protection, pro plans with managed WAF rules. Suitable for sites of any size. Integrated CDN.
  • AWS WAF: integrated with the AWS ecosystem (ALB, CloudFront, API Gateway). Customisable rules and a managed rules marketplace. Per-request billing.
  • Akamai: leader for large enterprises with massive traffic. Kona Site Defender offers enterprise-grade WAF and DDoS protection.
  • Sucuri: specialised in WordPress and CMS. Includes WAF, CDN, malware cleanup and monitoring.

DDoS protection

DDoS (Distributed Denial of Service) attacks attempt to overwhelm your server with massive traffic until it becomes unreachable. A cloud WAF absorbs this traffic across its distributed network of servers before it reaches your origin, keeping your site available for legitimate users.

Cloudflare mitigates DDoS attacks of up to several Tbps thanks to its global network of over 300 data centres. AWS Shield (included with AWS WAF) protects against volumetric attacks at the infrastructure layer. For advanced protection, AWS Shield Advanced offers managed 24/7 response.

Configuration and rule management

A poorly configured WAF can be as harmful as having no WAF: too permissive and it fails to protect; too restrictive and it blocks legitimate users. The key is to start in observation mode (log only) before switching to blocking mode.

Deploy the WAF initially in detection mode to analyse your application’s normal traffic. Identify false positives and adjust rules before enabling blocking. Review logs regularly and update rules when your application’s functionality changes.

  • Start in detection mode (log only) for at least two weeks
  • Adjust rules to eliminate false positives before enabling blocking
  • Use vendor-managed rulesets as a baseline and add custom rules as needed
  • Create exceptions (bypasses) for internal endpoints, APIs or webhooks that generate false positives

WAF within the security strategy

A WAF is a defence layer, not the complete solution. It protects against application-layer attacks but does not replace secure development practices, code-level input validation, security headers or software updates.

Defence in depth combines a WAF with network firewalls, IDS/IPS, server hardening, active monitoring and regular penetration testing. Each layer covers vulnerabilities that others might miss.

Key Takeaways

  • A WAF operates at layer 7 (application) and inspects HTTP content, not just IPs and ports
  • Cloud WAFs (Cloudflare, AWS WAF) are the most practical option for most sites
  • Always start in detection mode to identify false positives before blocking
  • Integrated DDoS protection in cloud WAFs absorbs volumetric attacks without affecting the origin
  • A WAF complements but does not replace secure development and other defence layers

Need to protect your site with a WAF?

We evaluate your infrastructure, implement the most suitable WAF and configure custom rules for your application.