Introduction to Web Application Firewalls (WAF)

July 12, 2022
Christian Bohren
3 min read

What is a Web Application Firewall?

A Web Application Firewall (WAF) filters network packets to protect web applications from vulnerabilities like Cross-Site Scripting (XSS), SQL Injection, Cross Site Request Forgery (CSRF), and similar attacks. Additionally, WAFs are often used to protect from Distributed Denial of Service (DDOS) and rate-limiting attacks.

What is the difference between a WAF and a Firewall?

WAFs have a specific role in preventing security vulnerabilities, whereas firewalls serve as a general gatekeeper of network traffic.

1. The most important difference is a WAF sits before the application server and acts as a reverse proxy or shield against various threats before those requests reach the destination server. Alternatively, firewalls are commonly deployed at the edge or border between the private Local Area Network (LAN) and a public network.

2. Standard firewalls are specifically designed to allow or deny access to a network, whereas WAFs focus on threats targeted at HTTP/HTTPS

3. WAFs typically defend the Application Layer i.e Layer 7 of the OSI model whereas traditional firewalls focus on Layer 3 & Layer 4.

4. WAFs utilize Heuristics, Anomaly Detection and Signature-based algorithms. Traditional firewalls focus on Packet filtering, Proxy algorithms and Stateful/Stateless inspection algorithms.

How do WAFs work?

A WAF operates through a set of rules often called policies. These policies instruct the WAF what traffic to look for and how to respond in the event of a detection. A WAF will scan GET and POST requests and filter out any malicious traffic before passing them along to the destination. WAFs check both the headers and body of a request, while some intelligent WAFs can provide intelligence user detection.

A Web Application Firewall can be configured according to three security models:

1. Whitelisting Model : The WAF is configured to only allow pre-defined traffic that meets the criteria. This model is best used for internal network use, complementing a zero-trust approach.

2. Blacklisting Model: The WAF is configured to block known vulnerabilities using pre-defined attack signatures. Example: If a pool of IP addresses is sending an anomalous number of requests, the WAF will “black list” the sending hosts, blocking further malicious traffic. This model is the most widely used for traditional web applications.

3. Hybrid Model: This model is a combination of Whitelisting and Blacklisting, i.e. the WAF incorporates both methods based on the needs of the application.

Top 3 WAFs available in the Market  


Akamai is a top provider for WAF solutions in the market, offering two dedicated options: Web Application Protector (WAP) and Kona Site Defender (KSD). WAP offers DDOS Protection, bot security, and is pre-configured to detect the latest threats. KSD goes further in offering anomaly detection and threat intelligence. Kona Site defender also has advanced API features and is marked as a WAF market leader in the most recent Q1 Forrester wave.


One of the most widely utilized WAFs in the industry, Cloudflare began as a Content Delivery Network (CDN) and now protects millions of websites from font-line application attacks. It’s ease of usage and integration is the leading factor in its widespread adoption. Cloudflare recently thwarted a 2 Tbps (really big) DDOS attack, flexing just how capable their service is. Read more on that here.


Offering everything from space travel to conveniently priced phone chargers, of course Amazon also sells a WAF.  A part of its Amazon Web Service (AWS) Cloud services, AWS WAF can be very easily deployed as part of Amazon CloudFront, Load Balancer , and or API Gateways. AWS firewall manager integration will let you centrally define, manage the rules and also reuse the set of rules against all your Web applications. You can get started quickly with AWS WAF by making use of pre-configured rules set by AWS.

Let's Get Started

Book a time to chat about your security needs.
* Indicates a required field.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.