What is a web application firewall (WAF)? (2024)

What is a WAF?

Web application firewalls (WAFs) are a critical security defense for websites, mobile applications, and APIs. They monitor, filter, and block data packets to and from web applications, protecting them from threats. WAFs are designed (trained) to detect and protect against dangerous security flaws that are most common within web traffic. This makes them essential for online businesses like retailers, banks, healthcare, and social media, which need to protect sensitive data from unauthorised access. WAFs can be deployed as network-based, host-based, or cloud-based solutions, providing visibility into application data at the HTTP application layer.

Since web and mobile applications and APIs are prone to security risks that can disrupt operations or exhaust resources, web application firewalls are designed to counter common web exploits like malicious bots. WAFs safeguard against threats that compromise availability, security, or resources including zero-day exploits, bots, and malware.

How does a WAF work?

A WAF works by inspecting HTTP requests and applying predefined rules to identify malicious traffic. It can be software, an appliance, or a service. The WAF analyses the following key parts of HTTP conversations:

  • GET requests: These requests retrieve data from the server.
  • POST requests: These requests send data to the server to change its state.
  • PUT requests: These requests send data to the server to update or create.
  • DELETE requests: These are requests to delete data.

The WAF also analyses the headers, query strings, and body of HTTP requests for malicious patterns. If the WAF finds a match, it will block the request and send an alert to the security team.

Why is WAF security important?

WAFs are crucial for the security of online businesses. They protect sensitive data, prevent leaks, prevent malicious code from being injected into the server, and meet compliance requirements like Payment Card Industry Data Security Standard (PCI DSS). As organisations increasingly use more web apps and IoT devices, attackers try to target their vulnerabilities. Integrating a WAF with other security tools like Cisco Duo 2FA and Cisco malware protection creates a robust defense strategy.

How does WAF contribute to web app security?

Many applications today are created using a combination of home-grown, third-party, and open-source code. WAFs add an extra layer of security to inadequately built or legacy applications and help to enhance secure design practices by blocking common attack vectors and preventing malicious traffic from reaching the application. Below is a list of significant advantages specific to WAFs.

  • WAFs can block malicious traffic before it reaches a web application, preventing data breaches and other attacks.
  • WAFs can help to protect sensitive data, such as credit card numbers and customer Personally Identifiable Information (PII), from unauthorised access.
  • WAFs can help to meet compliance requirements, such as PCI DSS, by blocking traffic that violates those requirements.
  • WAFs can work in conjunction with other security tools, such as an intrusion detection system (IDS), intrusion prevention system (IPS), and firewalls, to create a layered defense that is more effective at preventing attacks.

What is the difference between WAF and other tools?

While network firewalls handle lower layers, WAF focuses on higher layers where web apps are more vulnerable. WAF is vital for robust application security.

What is the difference between WAF and a network firewall?

While network firewalls handle lower layers, WAF focuses on higher layers where web apps are more vulnerable. WAF is vital for robust application security.

Do web applications need a firewall?

By positioning WAF in front of web apps, it safeguards them collectively. Its effectiveness against attacks such as cross-site scripting and injection attacks is a significant feature.

How does the HTTP protocol relate to WAF?

WAF intervenes to scrutinise legitimate requests, thwarting attacks like injection, cross-site scripting, HTTP Flood, and Slowloris, ensuring safer web interactions.

What are the differences between WAF, IPS, and NGFW?

Here are the basic differences between a WAF, an IPS, and a next-generation firewall (NGFW). While an IPS is signature-based and broad in focus, operating at Layers 3 and 4, a WAF operates at the application layer (Layer 7). A WAF protects web applications by analysing each HTTP request, and traditional WAFs ensure allowed actions based on security policies. NGFWs are advanced firewalls with integrated IPS and application-layer capabilities.

How does a WAF protect against vulnerabilities?

A WAF protects against a list of top vulnerabilities, including various forms of bots. Adversaries employ malicious bots to target applications and data, including account takeover, data scraping, and denial-of-service attacks. With increasing API usage, bot attacks on APIs are also growing and conventional mitigation often fails against advanced bot tactics. Combating these threats necessitates a combined cybersecurity approach that integrates WAF along with device fingerprinting, behavioral analysis, bot intelligence, and dedicated API protection. An effective WAF should include bot detection systems that include deep-learning abilities to recognise evolving bots that adapt to evade basic security systems. It's crucial to counteract bad bots with your WAF protection solution.

Below are some of the top WAF vulnerabilities and corresponding defense tactics provided by Cisco advanced WAF and bot protection technology.

Attack categoryExplanation of attack / riskWAF protection technology
Broken user authentication

Weak authentication mechanisms allow unauthorised access. Attackers can exploit this vulnerability to bypass login screens and compromise user accounts.

Examples include unauthorised access to APIs, IP, token, role, and customer-based attacks.

  • Token protection
Excessive data exposure

When sensitive information is improperly stored, transmitted, or disclosed, it becomes vulnerable. Attackers can access confidential data, leading to privacy breaches.

Examples include environment fingerprinting, 5XX internal server errors, and HTTP response headers.

  • Data masking
  • Replace 500 messages
Security misconfigurations

Improperly configured settings, permissions, or defaults create security gaps. Attackers can exploit these gaps to gain unauthorised access or control.

Examples include incomplete or ad-hoc configurations, misconfigured HTTP headers, unnecessary HTTP methods.

  • Data masking
  • Replace 500 messages
  • Autolearning
Broken access control

Broken access control permits unauthorised users to access restricted resources. Attackers exploit this vulnerability to gain unauthorised privileges.

Examples include unauthorised access to APIs, IP, token, role, customer-based attacks, and access to restricted APIs.

  • API catalog validation IP and GEO policies
Injection / cross-site scripting (XSS)

Injection attacks exploit vulnerable inputs. Attackers insert malicious code into systems, gaining unauthorised access or manipulating data by executing unintended commands. XSS vulnerabilities allow attackers to inject malicious scripts into web applications. These scripts execute in users' browsers, compromising their data or sessions.

Examples include SQL injections, XSS, command injection, and directory traversal.

  • Positive security model
  • Negative security model
  • API catalog validation

Do WAFs safeguard against known and emerging threats?

WAFs are constantly updated with new rules and signatures to safeguard against both known and emerging security threats through a variety of techniques to detect and block malicious traffic, including:

  • Signature-based detection: This technique uses predefined rules to identify malicious traffic that matches known attack patterns.
  • Anomaly based detection: This technique identifies malicious traffic that does not conform to normal behavior patterns.
  • Machine learning: This technique uses artificial intelligence to identify malicious traffic that is not yet known.

How do WAFs help prevent OWASP top vulnerabilities?

WAFs can help prevent Open Worldwide Application Security Project (OWASP) top vulnerabilities such as SQL injection and cross-site scripting (XSS) by blocking malicious traffic that attempts to exploit these vulnerabilities. For example, a WAF can block SQL injection attacks by filtering out requests that contain malicious SQL code. And a WAF can block XSS attacks by filtering out requests that contain malicious JavaScript code.

What are the different types of WAF deployment with examples?

Here are several WAF deployment options that integrate WAFs into organisational cybersecurity infrastructure in the cloud.


This is a newer deployment option, where the WAF service is hosted in the cloud and delivered as a subscription.

Cloud-based AWS

Optimal for organisations with limited in-house security resources. Enjoy hassle-free deployment, with a third-party managing WAF security on AWS, allowing you to focus on core activities.

Read the Secure Cloud for AWS Design Guide (PDF)

Cloud-based Azure

A bundled cloud security solution. Quickly deploy security policies in a cost-effective manner, enjoying the benefits of WAF protection without complexities.

Get the Secure Cloud for Azure Design Guide (PDF)

Cloud-based Kubernetes WAF

Scalable application security for continuous integration and continuous delivery/continuous deployment (CI/CD) environments is orchestrated by Kubernetes.


This is the traditional deployment option, where the WAF virtual or hardware appliance is installed on site at the organisation's data centre. Suitable for organisations requiring flexibility, high performance, and advanced security.


This is a combination of the on-premises and cloud-based deployment options, where the WAF appliance is installed on site and the cloud-based service is used to supplement it.

What is a web application firewall (WAF)? (2024)


What is a WAF Web Application Firewall explained? ›

A web application firewall (WAF) protects web applications from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection, and cookie poisoning, among others. Attacks to apps are the leading cause of breaches—they are the gateway to your valuable data.

What is Web application firewall standard vs WAF? ›

A WAF protects web applications by targeting Hypertext Transfer Protocol (HTTP) traffic. This differs from a standard firewall, which provides a barrier between external and internal network traffic. A WAF sits between external users and web applications to analyze all HTTP communication.

What are the key features of WAF? ›

WAFs can protect web apps from malicious or compromised endpoints and function as reverse proxies (as opposed to a proxy server, which protects users from malicious websites). WAFs ensure security by intercepting and examining every HTTP request.

What does Web Application Firewall WAF provide protection from Azure? ›

Azure Web Application Firewall is a cloud-native service that protects web apps from common web-hacking techniques such as SQL injection and security vulnerabilities such as cross-site scripting.

What does a WAF not protect against? ›

WAFs may not safeguard against network-layer attacks, such as port scanning, IP spoofing, or SYN flood attacks, which require network firewalls or intrusion prevention systems.

What is the difference between a secure web gateway and a WAF? ›

Secure web gateways (SWGs) primarily work at the application level. They protect against advanced internet-based attacks and detecting malicious intent by inspecting actual traffic. WAFs also inspect traffic, but at the packet level, using deep packet inspection rules to identify safe applications.

When should a WAF be used? ›

It sits between a web application, network, and the internet, monitoring, filtering, and blocking potentially malicious traffic based on predefined security rules. WAF use cases include protecting websites from zero-day exploits, malware, OWASP Top 10 vulnerabilities, and impersonation.

What are the different types of WAF? ›

The web application firewall (WAF) marketplace is diverse, with various deployment options based on an organization's application and security requirements. There are three primary types of WAFs: a cloud-based WAF, software-based WAF, and hardware-based WAF. Each type of WAF has its own advantages and disadvantages.

How do I know if a website has WAF? ›

To verify a website:
  1. Identify one frontend IP that points to the WAF. ...
  2. Open your /etc/hosts file in a text editor. ...
  3. Add a line to the bottom of the /etc/hosts file with the WAF's frontend IP (from step 1 above) and the domain name of the website you wish to test.

What are the benefits of a WAF? ›

Five benefits of using a WAF for WordPress sites
  • Protection against SQL injection, XSS, and other attacks. ...
  • Mitigation of zero-day exploits. ...
  • Custom IP address rules. ...
  • Downtime prevention. ...
  • Compliance with data protection regulations.
May 10, 2024

What are the objectives of WAF? ›

The World Economic Forum engages political, business, academic, civil society and other leaders of society to shape global, regional and industry agendas. It is independent, impartial, not tied to any special interests and upholds the highest standards of governance and moral and intellectual integrity.

Which three are typical responses from WAF? ›

Typical responses from WAF will either be allowing the request to pass through, audit logging the request, or blocking the request by responding with an error page.

What is the use case of WAF? ›

True to its name, one of the main use cases for WAF is to protect applications that communicate over HTTP, such as websites, serverless functions, and API endpoints.

What are the two modes that a WAF policy can use? ›

The Application Gateway WAF can be configured to run in the following two modes:
  • Detection mode: Monitors and logs all threat alerts. You turn on logging diagnostics for Application Gateway in the Diagnostics section. ...
  • Prevention mode: Blocks intrusions and attacks that the rules detect.
Jan 26, 2024

What is the difference between a web application gateway and a WAF? ›

A web gateway secures internet access by filtering unwanted software, while a web application firewall (WAF) protects web applications from attacks by filtering and monitoring HTTP traffic.

What are the different types of web application firewalls? ›

The web application firewall (WAF) marketplace is diverse, with various deployment options based on an organization's application and security requirements. There are three primary types of WAFs: a cloud-based WAF, software-based WAF, and hardware-based WAF. Each type of WAF has its own advantages and disadvantages.

How does WAF protect against DDoS? ›

Since the WAF looks for attacks leveraged against the underlying application functionality, it can detect not only common attacks such as SQL injection (SQLi) and cross-site scripting (XSS or CSS), but can also detect other modified or custom constructed queries and inputs targeted at an application attempting to trick ...

What is the difference between API and WAF? ›

WAFs can deliver the following additional features that API gateways generally don't include: Known attack detection: This WAF module is designed to recognize common attract strategies and shut down access to components of the web-facing service should unauthorized attempts be detected.

Top Articles
Latest Posts
Article information

Author: Manual Maggio

Last Updated:

Views: 6134

Rating: 4.9 / 5 (69 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Manual Maggio

Birthday: 1998-01-20

Address: 359 Kelvin Stream, Lake Eldonview, MT 33517-1242

Phone: +577037762465

Job: Product Hospitality Supervisor

Hobby: Gardening, Web surfing, Video gaming, Amateur radio, Flag Football, Reading, Table tennis

Introduction: My name is Manual Maggio, I am a thankful, tender, adventurous, delightful, fantastic, proud, graceful person who loves writing and wants to share my knowledge and understanding with you.