WAF (Web Application Firewall)

A Web Application Firewall protects web applications by filtering and monitoring HTTP traffic between a web application and the internet. It operates at Layer 7 (application layer) and can block common attack vectors like SQL injection and XSS.

How WAF Works

Client Request → WAF → Application
                 ↓
         Rule Evaluation
         • Block malicious requests
         • Allow legitimate traffic
         • Log for analysis

Common Rule Types

Rule Type	Protects Against
SQL Injection	Database attacks via input
XSS	Script injection attacks
Path Traversal	File system access attempts
Rate Limiting	DDoS, brute force
IP Blocking	Known malicious sources
Geo Blocking	Traffic from specific regions
Bot Detection	Automated attacks, scrapers

WAF Options

Cloud Provider WAFs

AWS WAF: Integrates with CloudFront, API Gateway, ALB
Cloudflare WAF: Part of CDN offering
Azure WAF: With Application Gateway
GCP Cloud Armor: With Load Balancing

Dedicated Solutions

Imperva (Incapsula)
F5 Advanced WAF
Akamai Kona

AWS WAF Example Rules

// Block SQL injection in query strings
{
  "Name": "SQLInjectionRule",
  "Statement": {
    "SqliMatchStatement": {
      "FieldToMatch": { "QueryString": {} },
      "TextTransformations": [{ "Type": "URL_DECODE", "Priority": 0 }]
    }
  },
  "Action": { "Block": {} }
}

What We Like

First line of defense: Blocks attacks before reaching application
Managed rules: Pre-built protection for common vulnerabilities
Visibility: Logging shows attack patterns and sources
Easy implementation: Enable on load balancers or CDN

What We Don't Like

False positives: Legitimate requests sometimes blocked
Performance impact: Inspection adds latency
Not a silver bullet: Must be part of defense in depth
Rule maintenance: Custom rules need ongoing tuning

Best Practices

Start with managed rules: AWS Managed Rules, OWASP rule sets
Enable logging: Send to CloudWatch, S3, or SIEM
Test before blocking: Use count mode first
Layer defenses: WAF + SSL + application security
Monitor and tune: Review blocked requests regularly
Rate limit APIs: Protect against abuse

When to Use WAF

Public-facing web applications
APIs exposed to the internet
Applications handling sensitive data
Compliance requirements (PCI DSS, HIPAA)
Protection against automated attacks

How WAF Works​

Common Rule Types​

WAF Options​

Cloud Provider WAFs​

Dedicated Solutions​

AWS WAF Example Rules​

What We Like​

What We Don't Like​

Best Practices​

When to Use WAF​