WAF (Web Application Firewall): A Practical Guide

A Web Application Firewall (WAF) is a reverse proxy that inspects HTTP traffic at layer 7 and blocks attacks via signatures and rules: SQL injection, XSS, path traversal, RCE, credential stuffing, DDoS. Unlike L3/L4 firewalls, a WAF sees the full URL, headers, and body. Here is a pragmatic tour: self-hosted ModSecurity, Cloudflare, AWS WAF, the OWASP Core Rule Set, and when a WAF actually pays for itself.

What a WAF does

• Blocks SQL injection, XSS, RCE via signatures
• Defends against bots and scrapers (JS challenge, CAPTCHA)
• Geo-blocking
• L7 rate limiting
• Virtual patching — close a known CVE before the fix ships
• SIEM-friendly logging of suspicious traffic

WAF flavours

Self-hosted (ModSecurity, Coraza)

ModSecurity is the open-source WAF for Apache, nginx, and IIS. Coraza is the modern Go port for Envoy/Caddy. Pros: free, full control. Cons: operational cost, rule tuning, updates.

Cloud WAFs

• Cloudflare WAF — managed + custom rules, $200/mo Business, deployed as reverse proxy
• AWS WAF — integrates with CloudFront, API документацию Gateway, ALB; pay per request
• Google Cloud Armor — integrates with load balancer and Cloud Run
• Imperva, F5, Akamai — enterprise

OWASP Core Rule Set (CRS)

The OWASP CRS is a rule set for ModSecurity/Coraza that covers the OWASP Top 10. Quick install:

# Debian/Ubuntu with nginx
apt install libmodsecurity3 modsecurity-crs
# Wire into nginx.conf
modsecurity on;
modsecurity_rules_file /etc/modsecurity/crs-setup.conf;
modsecurity_rules_file /etc/modsecurity/rules/*.conf;

Paranoia Levels 1–4: start at 1 in production and raise incrementally.

A ModSecurity rule

SecRule ARGS "@rx (?i)(union|select|insert|drop|update|delete)\s" \
    "id:1001,phase:2,deny,status:403,msg:'SQL injection attempt',tag:'attack-sqli'"

SecRule REQUEST_URI "@rx (\.\./|%2e%2e%2f)" \
    "id:1002,phase:1,deny,status:403,msg:'Path traversal attempt'"

Cloudflare WAF example

Dashboard → Security → WAF → Managed Rules → enable OWASP Core Ruleset and Cloudflare Managed Ruleset. Custom rule for geo-block:

(ip.geoip.country eq "CN" or ip.geoip.country eq "RU") and http.request.uri.path contains "/admin"
=> Block

When a WAF pays off

• Legacy apps with slow patching cadence
• E-commerce, fintech, HR (PII — PCI DSS often mandates a WAF)
• Public APIs exposed to scraping/abuse
• Sites under sustained botnet or brute-force pressure

For a small WordPress site, Cloudflare Free + Fail2ban handles 80% of the noise.

False positives and tuning

The big risk with a WAF is blocking legitimate traffic. Typical false positives:

• POST bodies containing suspicious characters (quotes, <)
• Contact forms mentioning SQL keywords ("select", "drop")
• Ajax with long query strings

Rollout: 1) enable in DetectionOnly, 2) analyse logs for 2–4 weeks, 3) add exceptions, 4) switch to Blocking.

WAF vs other defences

A WAF is a layer, not a replacement. It does not substitute:

• Secure coding (prepared statements, escaping)
• HTTP Security Headers
• Application-level rate limiting
• Proper authentication and session handling

WAFs are compensating controls. If the app is fundamentally broken, a WAF just makes attacks louder.

Monitoring

Track: block rate, top-10 triggered rules, false-positive rate, latency overhead (5–50 ms). Set alerts on rising 403/503 with enterno monitors.

FAQ

Does a WAF slow the site? Cloud WAF — 5–30 ms; self-hosted ModSecurity — 10–50 ms on complex rules. Invisible to users.

Protects against zero-days? Managed rule feeds often ship before your code patch — so partially, yes.

Do I need a WAF on SSL/TLS проверку? Yes. HTTPS defeats MITM; a WAF defeats attacks inside a valid TLS session.

WAF or IDS/IPS? IDS inspects L3/L4, WAF inspects L7. Web apps need WAFs.

Conclusion

A WAF is table stakes for e-commerce, fintech, and public APIs. Minimum starter kit: Cloudflare Free or ModSecurity + OWASP CRS. Watch false positives and latency. Related: rate limiting, XSS, the Security Scanner.