WAF
Definition
Web Application Firewall - security system that filters HTTP traffic to web applications, protecting against attacks like SQL injection and cross-site
Use Cases
- Cloudflare: Protecting customer websites and APIs from common web attacks (e.g., SQL injection, cross-site scripting) and bot abuse at the edge. — Operates a globally distributed edge network where HTTP(S) traffic is inspected against managed rulesets (e.g., OWASP Top 10-style protections), custom rules, rate limiting, and bot management before requests reach customer origins. (Reduced successful application-layer attacks and improved site availability by blocking malicious traffic upstream, lowering origin load and incident response effort.)
- Amazon: Protecting high-traffic retail web properties from application-layer attacks and abusive traffic patterns during peak shopping events. — Uses AWS WAF with AWS edge and load balancing services to apply managed rule groups, IP reputation lists, and rate-based rules; integrates logging/metrics for security monitoring and tuning. (Improved resilience against common web exploits and traffic spikes by automatically filtering malicious requests and throttling abusive clients, helping maintain performance and uptime.)
Provider Equivalents
- AWS: AWS WAF
- Azure: Azure Web Application Firewall (Azure WAF)
- GCP: Cloud Armor
- OCI: OCI Web Application Firewall
Frequently Asked Questions
- What's the difference between a WAF and a firewall (network firewall)?
- A network firewall mainly controls traffic based on IP addresses, ports, and protocols (Layers 3–4). A WAF focuses on HTTP/HTTPS (Layer 7) and understands web requests, so it can block attacks like SQL injection, cross-site scripting (XSS), and malicious request patterns that a network firewall may not detect.
- When should I use a WAF?
- Use a WAF when you run a public-facing website or API and want protection against common web attacks, need virtual patching for known vulnerabilities, want rate limiting to reduce abusive traffic, or must meet security requirements (e.g., protecting login pages and checkout flows). It’s especially useful when you can’t quickly change application code or need an extra layer of defense in front of legacy apps.
- How much does a WAF cost?
- Costs depend on the provider and are usually driven by (1) number of protected resources/endpoints, (2) number of rules or rule groups (managed and custom), (3) request volume inspected, and (4) optional features like bot protection, DDoS integration, and logging. Expect pricing to scale with traffic: higher request rates and more advanced protections generally increase cost.
Category: security
Difficulty: intermediate
Related Terms
See Also