WAF (Web Application Firewall) - Definition & Explanation

A Web Application Firewall (WAF) sits in front of a web application and filters incoming HTTP/HTTPS requests. Unlike a network firewall, which only checks IP addresses and ports, a WAF analyzes the entire content of web requests—URLs, query parameters, HTTP headers, and request bodies—for attack patterns.

WAF vs. Network Firewall

Feature	Network Firewall	WAF
OSI Layer	Layers 3–4	Layer 7
Analyzes	IP, port, protocol	HTTP content, payload
Detects	Port scans, IP blacklists	SQL injection, XSS, CSRF
Performance Impact	Minimal	Noticeable (inspection overhead)
Placement	Network perimeter	Directly in front of app/API

Important: A WAF does not replace a network firewall—it complements it.

What a WAF detects (and blocks)

OWASP Top 10 Protection

SQL Injection - ' OR '1'='1 in input fields
Cross-Site Scripting (XSS) - <script>alert('xss')</script> in URLs
CSRF - Token validation
Path Traversal - ../../etc/passwd in path parameters
Server-Side Request Forgery (SSRF) - Internal network access
Security Misconfiguration - Known admin endpoints

Layer 7 DDoS Protection

Rate Limiting: Max. X requests/second per IP
Bot Detection: User-Agent analysis, JavaScript challenge, CAPTCHA
Protection against Application Layer DDoS (e.g., HTTP floods)

API Security

Modern WAFs (WAAP - Web Application and API Protection) also protect REST/GraphQL APIs:

Schema validation: Accept only expected JSON structures
Rate limiting per API endpoint and API key
Detection of scraping and data exfiltration

WAF operating modes

Detection Mode (Learning/Monitoring Mode)

WAF logs rule violations but does not block them. Useful for:

Initial deployment (checking false positive rate)
Learning the baseline (ML-based WAFs)

Prevention Mode (Blocking Mode)

Attacks are blocked in real time. Standard in production.

Hybrid

Certain rule sets in Block Mode; new rules first in Detection Mode.

WAF Types

Cloud WAF (CDN-integrated)

AWS WAF (CloudFront/ALB)
Azure Front Door WAF
Cloudflare WAF
Fastly Next-Gen WAF (formerly Signal Sciences)

Advantages: Easy setup, global scrubbing, no need for dedicated hardware. Disadvantages: Data flows through third-party providers, less configurability.

Software WAF (self-hosted)

ModSecurity (Open Source, nginx/Apache)
NAXSI (nginx, blocklist-based)
Shadow Daemon (PHP-focused)

With OWASP ModSecurity Core Rule Set (CRS)—a free rule set covering the OWASP Top 10.

# ModSecurity in nginx (minimal configuration)
load_module modules/ngx_http_modsecurity_module.so;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;

Hardware WAF (Appliance)

Barracuda Web Application Firewall
F5 BIG-IP ASM
Imperva (Incapsula)

For high-security environments with data residency compliance requirements.

Limitations of WAF

A WAF is not a panacea:

No protection against:

Logic vulnerabilities (Insecure Direct Object Reference, Business Logic Bugs)
Authentication errors (weak passwords, lack of MFA)
Supply chain attacks (compromised libraries)
Insider threats (legitimate users stealing data)
Vulnerabilities triggered by "normal" traffic

False positives: A poorly configured WAF can block legitimate users—e.g., CMS administrators entering HTML code.

WAF and Penetration Testing

A penetration test on a WAF-protected application includes:

WAF Detection: Identification of the WAF type via fingerprinting
Bypass Techniques: URL encoding, case sensitivity, character set tricks, chunked encoding
Out-of-Band Attacks: DNS-based exfiltration that bypasses WAF rules
Backend Access: Direct access to the origin server (WAF bypassed)

A WAF significantly raises the barrier to attack—but is no substitute for secure coding.

Compliance

PCI DSS 6.4: WAF as an explicit requirement for all systems processing cardholder data—or code review + vulnerability remediation as an alternative.

ISO 27001 A.8.22: Network segregation, protection of web services.

BSI IT-Grundschutz APP.3.2: Web server security, WAF as a recommended measure.