WAF (Web Application Firewall): A Practical Guide
WAF (Web Application Firewall): A Practical Guide
A Web Application Firewall (WAF) is a reverse proxy that inspects HTTP traffic at layer 7 and blocks attacks via signatures and rules: SQL injection, XSS, path traversal, RCE, credential stuffing, DDoS. Unlike L3/L4 firewalls, a WAF sees the full URL, headers, and body. Here is a pragmatic tour: self-hosted ModSecurity, Cloudflare, AWS WAF, the OWASP Core Rule Set, and when a WAF actually pays for itself.
What a WAF does
- Blocks SQL injection, XSS, RCE via signatures
- Defends against bots and scrapers (JS challenge, CAPTCHA)
- Geo-blocking
- L7 rate limiting
- Virtual patching — close a known CVE before the fix ships
- SIEM-friendly logging of suspicious traffic
WAF flavours
Self-hosted (ModSecurity, Coraza)
ModSecurity is the open-source WAF for Apache, nginx, and IIS. Coraza is the modern Go port for Envoy/Caddy. Pros: free, full control. Cons: operational cost, rule tuning, updates.
Cloud WAFs
- Cloudflare WAF — managed + custom rules, $200/mo Business, deployed as reverse proxy
- AWS WAF — integrates with CloudFront, API документацию Gateway, ALB; pay per request
- Google Cloud Armor — integrates with Load Balancer and Cloud Run
- Imperva, F5, Akamai — enterprise
OWASP Core Rule Set (CRS)
The OWASP CRS is a rule set for ModSecurity/Coraza that covers the OWASP Top 10. Quick install:
# Debian/Ubuntu with nginx
apt install libmodsecurity3 modsecurity-crs
# Wire into nginx.conf
modsecurity on;
modsecurity_rules_file /etc/modsecurity/crs-setup.conf;
modsecurity_rules_file /etc/modsecurity/rules/*.conf;Paranoia Levels 1–4: start at 1 in production and raise incrementally.
A ModSecurity rule
SecRule ARGS "@rx (?i)(union|select|insert|drop|update|delete)\s" \
"id:1001,phase:2,deny,status:403,msg:'SQL injection attempt',tag:'attack-sqli'"
SecRule REQUEST_URI "@rx (\.\./|%2e%2e%2f)" \
"id:1002,phase:1,deny,status:403,msg:'Path traversal attempt'"Cloudflare WAF example
Dashboard → Security → WAF → Managed Rules → enable OWASP Core Ruleset and Cloudflare Managed Ruleset. Custom rule for geo-block:
(ip.geoip.country eq "CN" or ip.geoip.country eq "RU") and http.request.uri.path contains "/admin"
=> BlockWhen a WAF pays off
- Legacy apps with slow patching cadence
- E-commerce, fintech, HR (PII — PCI DSS often mandates a WAF)
- Public APIs exposed to scraping/abuse
- Sites under sustained botnet or brute-force pressure
For a small WordPress site, Cloudflare Free + Fail2ban handles 80% of the noise.
False positives and tuning
The big risk with a WAF is blocking legitimate traffic. Typical false positives:
- POST bodies containing suspicious characters (quotes, <)
- Contact forms mentioning SQL keywords ("select", "drop")
- Ajax with long query strings
Rollout: 1) enable in DetectionOnly, 2) analyse logs for 2–4 weeks, 3) add exceptions, 4) switch to Blocking.
WAF vs other defences
A WAF is a layer, not a replacement. It does not substitute:
- Secure coding (prepared statements, escaping)
- HTTP Security Headers
- Application-level rate limiting
- Proper authentication and session handling
WAFs are compensating controls. If the app is fundamentally broken, a WAF just makes attacks louder.
Monitoring
Track: block rate, top-10 triggered rules, false-positive rate, latency overhead (5–50 ms). Set alerts on rising 403/503 with enterno monitors.
FAQ
Does a WAF slow the site? Cloud WAF — 5–30 ms; self-hosted ModSecurity — 10–50 ms on complex rules. Invisible to users.
Protects against zero-days? Managed rule feeds often ship before your code patch — so partially, yes.
Do I need a WAF on SSL/TLS проверку? Yes. HTTPS defeats MITM; a WAF defeats attacks inside a valid TLS session.
WAF or IDS/IPS? IDS inspects L3/L4, WAF inspects L7. Web apps need WAFs.
Conclusion
A WAF is table stakes for e-commerce, fintech, and public APIs. Minimum starter kit: Cloudflare Free or ModSecurity + OWASP CRS. Watch false positives and latency. Related: rate limiting, XSS, the Security Scanner.
Check your website right now
Check now →