WAF: What It Is and How It Protects Your Site

What Is a WAF

A Web Application Firewall (WAF) is a protective shield that filters HTTP traffic between the internet and your web application. Unlike a traditional firewall that operates at the network level (IP addresses and ports), a WAF analyzes the content of HTTP requests and responses, blocking malicious patterns.

WAFs operate at Layer 7 of the OSI model (application layer) and understand web protocol specifics: HTTP methods, headers, cookies, URL parameters, and request bodies.

What Attacks Does a WAF Prevent

SQL Injection

A WAF detects attempts to inject SQL code into request parameters. For example, a request containing ' OR 1=1 -- in a login field will be blocked before it reaches the database.

Cross-Site Scripting (XSS)

A WAF filters requests containing JavaScript code in parameters, headers, or request bodies. An attempt to submit <script>alert('xss')</script> through a form will be stopped.

File Upload Attacks

A WAF inspects uploaded files: blocking executables, web shells, and files with double extensions like image.php.jpg.

Application-Layer DDoS (Layer 7)

A WAF can implement rate limiting and detect anomalous traffic patterns, protecting against HTTP flood and slowloris attacks.

Other OWASP Top 10 Threats

• Local/Remote File Inclusion (LFI/RFI)
• Server-Side Request Forgery (SSRF)
• XML External Entity (XXE)
• Command Injection
• Path Traversal
• HTTP Request Smuggling

Types of WAF

Cloud-Based WAF

Deployed as a DNS proxy — you point your DNS to the WAF provider, which filters traffic before forwarding it to your server. Examples: Cloudflare WAF, AWS WAF, Akamai.

Pros: fast deployment, no server resources needed, automatic rule updates, built-in CDN and DDoS protection.

Cons: traffic passes through a third party, limited rule customization, vendor dependency.

Hardware WAF (Appliance)

A physical device installed in the network in front of web servers. Examples: F5 BIG-IP, Fortinet FortiWeb.

Pros: high performance, full control, no external dependencies.

Cons: high cost, requires expertise to configure, manual updates.

Software WAF (Host-Based)

Installed as a web server module or application component. Examples: ModSecurity (for Apache/nginx), NAXSI (for nginx).

Pros: free options available, full customization, runs on the same server.

Cons: consumes server resources, requires manual configuration and rule updates.

How a WAF Works: Modes and Rules

Positive Security Model (Whitelist)

Only explicitly defined traffic is allowed. Everything else is blocked. More secure but harder to configure — requires detailed descriptions of legitimate traffic.

Negative Security Model (Blacklist)

Known attack patterns are blocked. Everything else is allowed. Easier to set up but may miss new (zero-day) attacks.

Hybrid Approach

A combination of both: baseline blacklist rules for known attacks plus whitelist rules for critical endpoints (login forms, payment API документацию).

Operating Modes

• Detection mode (monitoring) — WAF logs suspicious requests but doesn't block them. Use during initial setup.
• Prevention mode (blocking) — WAF actively blocks malicious requests. Enable after testing rules.

WAF Configuration Best Practices

1. Start in detection mode. Run the WAF in detection mode for 1-2 weeks, analyze logs, and ensure legitimate traffic isn't being blocked.
2. Customize rules for your application. Default rules may block legitimate requests (false positives). For example, a CMS with a visual editor may send HTML in POST requests.
3. Update rules regularly. New vulnerabilities appear constantly. Automatic rule updates are a key advantage of cloud WAFs.
4. Don't rely solely on WAF. A WAF is an additional layer of defense, not a substitute for secure code. Fix vulnerabilities in your application.
5. Log and analyze. Regularly review blocked requests to detect attacks and false positives.
6. Protect the WAF itself. Ensure direct access to the server is closed and traffic flows only through the WAF.

WAF and Performance

A WAF adds latency to every request — typically 1-5ms for cloud solutions. Cloud WAFs often compensate for this through CDN and content delivery optimization.

To minimize performance impact:

• Use selective inspection — not all URLs require deep analysis
• Cache static resources before the WAF
• Optimize your ruleset — disable inapplicable rules

How to Check Your Site's Protection

Use the Enterno.io Security Scanner to check your website's security headers. While the scanner doesn't test WAF directly, it shows the presence of security headers that work alongside WAF for comprehensive protection.

Summary

A WAF is an essential component of modern web application security. It filters malicious traffic at the HTTP level, protecting against SQL injection, XSS, DDoS, and other OWASP Top 10 attacks. Choose the WAF type that fits your needs, start in monitoring mode, and gradually fine-tune rules for your application's specifics.