Web Application Firewall (WAF)

WAFs protect web applications by inspecting HTTP traffic and blocking malicious requests before they reach the application.

What WAFs protect against

• SQL injection attacks.
• Cross-site scripting (XSS).
• Remote file inclusion.
• Local file inclusion.
• Command injection.
• HTTP protocol violations.
• Known vulnerability exploits.
• Bot and scraper traffic.

Cloud WAF services

• AWS WAF: Integrated with CloudFront, ALB, API Gateway.
• Azure WAF: Works with Application Gateway, Front Door.
• Google Cloud Armor: Protects Cloud Load Balancers.
• Cloudflare WAF: Edge-based protection.

Rule types

• Managed rules: Pre-built rulesets (OWASP Core Rule Set, AWS Managed Rules).
• Custom rules: Organization-specific patterns.
• Rate limiting: Block excessive requests.
• Geo-blocking: Restrict by country/region.
• IP reputation: Block known malicious IPs.

Deployment modes

• Detection mode: Log but don't block (tuning phase).
• Prevention mode: Actively block matching requests.

Best practices

1. Start in detection mode to tune rules.
2. Use managed rulesets as baseline.
3. Add custom rules for application-specific patterns.
4. Implement rate limiting for login pages and APIs.
5. Enable logging and integrate with SIEM.
6. Regularly review and update rules.
7. Test WAF rules before production deployment.

Limitations

• Cannot protect against business logic flaws.
• May cause false positives blocking legitimate traffic.
• Requires ongoing tuning and maintenance.
• Does not replace secure coding practices.