Education center Cybersecurity Technologies

What is a Web Application Firewall (WAF)?

A web application firewall (WAF) protects web applications. It sits between the internet and a web application to filter and monitor HTTP traffic and serve as a security policy enforcement point. They are deployed in front of web applications and analyze bi-directional web-based (HTTP) traffic, detecting and blocking anything malicious. WAFs protect web applications from attacks such as cross-site request forgery (CSRF), cross-site scripting (XSS), SQL injection, and many others.

What are the limitations of a WAF?

As an open systems interconnection (OSI) layer 7 defense mechanism against application-layer attacks, a WAF can only protect certain aspects of a website. For example, they protect services that user-facing web applications apply to collect, store, and utilize data. However, since WAFs are unable to detect sophisticated malware; manipulated, vulnerable, or sideloaded JavaScript code; or data exfiltration, they cannot protect the browser-level user interface itself. WAFs are not able to detect and protect businesses from:

Sophisticated skimming malware
Drive-by skimming and supply chain attacks
Sideloading and chainloading attacks

Can WAFs protect from all client-side threats?

No. A WAF will protect the connection between your servers and your customers, but the protection ends there. Web application firewalls can’t monitor or protect your business from browser-level threats outside of your security perimeter.

How do they work?

Web application firewalls use policies that filter out malicious traffic that could threaten the web application. WAFs act like a reverse proxy. They protect the server from attack by filtering the clients before they reach the server.

Where can I learn more?

You can learn more about WAFs in our blog post Everything You Need to Know About Web Application Firewalls. Also, check our our new e-book The Ultimate Guide to Client-Side Security to better understand WAFs, how they work, their limitations, and whether they’re right for your business.

Blog November 7, 2024

How to comply with PCI DSS 4’s Req 6.4.3 and 11.6.1 in 4 minutes or less?

Being PCI DSS 4 compliant is crucial for e-commerce merchants—businesses that accept credit card payments on their websites and web applications. The…

Blog November 3, 2024

What Is the Cheapest Way to Comply with PCI DSS Requirements 6.4.3 and 11.6.1?

If you're running a business that takes online credit card payments, you know that you’ve got to become compliant with PCI DSS…

Blog October 22, 2024

How to Achieve HHS Requirements and Avoid HIPAA-related Lawsuits on Your Website

Healthcare organizations today face an imminent threat to securing private health information (PHI) on their websites. For this reason, HHS has released…

Free Assessment

Security for Everyone that Visits Your Website

Find out if your web application is hiding vulnerable, malicious, or dangerous code that could damage your customers and your business. No payment information required.