A web application firewall (WAF) is an online security solution that filters out bad HTTP traffic between a client and web application.

Diagram of how a web application firewall works


Traditional security solutions such as network firewalls, intruder detection systems (IDS), and intrusion prevention systems (IPS) are good at stopping illegitimate traffic and providing network-level security. But they don’t have the ability to detect and stop SQL injection, session hijacking, cross-site scripting (XSS) and other attacks resulting from vulnerabilities inherent in web applications.

Web application firewalls, on the other hand, provide an effective solution for detecting the threats by examining incoming HTTP requests before they even reach the server. The WAF detects and block malicious attacks woven into safe-looking website traffic that may have slipped through the traditional security solutions. WAFs are also used to help organizations comply with HIPAA and PCI-DSS requirements.

How a Web Application Firewall Works

The WAF is deployed as a hardware appliance, inline web server, or server plugin that runs directly on web servers. It intercepts all HTTP requests and analyzes each of them before they reach the web server for processing. It analyzes GET and POST requests while applying defined rules to identify and filter out illegitimate traffic.

Depending on the selected WAF options, the WAF can block the traffic, challenge the visitor by asking them to input a CAPTCHA, or instruct the server to simulate an attack. The blocking and challenging options prevent any illegitimate traffic from reaching the web server.

The WAF’s operation is usually based on one the three security models:

  1. Blacklist or negative security model – This uses generic signatures to protect the website against known attacks and specific signatures to prevent attacks that may exploit vulnerabilities in the web application.
  2. Whitelist or positive security model – This uses signatures and sometimes additional logic to only permit traffic that meets certain criteria. An example is allowing only HTTP GET requests from a specific URL and blocking everything else.
  3. Hybrid security model – This applies both the negative and positive models.

Some of the configurable options include blocking the request, blocking the session, blocking the IP address, blocking the user, or logging out the user.

Example of a Web Application Firewall

Despite having an intrusion prevention system, Karger, a medical and scientific publisher, suffered massive DDoS attacks that caused a 70% traffic spike. This led to timeouts for most of the users trying to access the company’s website.

These application level attacks were using HTTPS, so setting filters to stop the DDoS bots may have also blocked genuine website users. The only way the company could handle this situation was to use a web application firewall that had the ability to filter and control HTTPS traffic.

The WAF service that Karger implemented could detect users based on their IP addresses and provide the necessary protection against HTTP attacks. The implementation of the WAF resulted in a drop in the unwanted traffic, thereby improving site performance.


WAF solutions are effective at preventing attacks aimed at web applications, but these solutions are still evolving. Since no one tool can address all the weaknesses in web-based applications, it’s often necessary to use more than one web security solution.

A typical approach is combining WAF with Dynamic Application Security Testing (DAST). DAST tools are designed to check for signs of security vulnerabilities in running web applications. They do this by sending requests that imitate a hacker’s activity to the running application.

There are other options and operational models to cater for different kinds of websites and businesses. Besides protection, WAFs provide additional functions such as caching, compression, load balancing, SSL acceleration and connection pooling that further enhance website performance and reliability.