Web Application Firewall (WAF)

Also known as: WAF

A reverse-proxy filter that inspects HTTP/HTTPS traffic to block web attacks such as SQL injection, XSS, and bot abuse before they reach the application.

A Web Application Firewall (WAF) sits in front of a web application — usually as a reverse proxy, sidecar, or CDN edge service — and analyses each HTTP request and response against rule sets such as the OWASP Core Rule Set. It can block injection attempts, malicious file uploads, scanner traffic, layer-7 DDoS, credential stuffing, and bot abuse, often using a mix of signatures, anomaly scoring, rate limiting, and machine-learning models. WAFs are essential for protecting legacy or third-party apps that cannot be patched quickly. They must be tuned to reduce false positives, run in detection mode before blocking, and be combined with secure coding rather than treated as a substitute for it.

Examples

AWS WAF blocking a request containing a UNION SELECT payload before it reaches the application.
Cloudflare WAF rate-limiting login endpoints to mitigate credential stuffing.

Web Application Firewall (WAF)

Examples

Related terms

Firewall

Next-Generation Firewall (NGFW)

Reverse Proxy

OWASP Top 10

RASP (Runtime Application Self-Protection)

API Security

Definition

Examples

Related terms

Firewall

Next-Generation Firewall (NGFW)

Reverse Proxy

OWASP Top 10

RASP (Runtime Application Self-Protection)

API Security