WAF: The Application Firewall That Protects Your Website

Network Firewall vs. WAF

A traditional network firewall operates at layers 3 and 4 of the OSI model (Open Systems Interconnection — the reference model for network communications): it filters by IP address and port. It is blind to the content of HTTP requests. A WAF (Web Application Firewall) operates at layer 7 (application) and inspects the content of every HTTP request: URL, headers, parameters, request body. It can detect and block attacks that appear as legitimate HTTP traffic.

Attacks Blocked by a WAF

WAFs are particularly effective against attacks from the OWASP Top 10 (Open Web Application Security Project — the global reference for web vulnerabilities):

• SQLi (SQL Injection — injecting malicious SQL code into queries): e.g. ' OR 1=1 -- in a form
• XSS (Cross-Site Scripting — injecting JavaScript into pages viewed by other users)
• CSRF (Cross-Site Request Forgery — a forged request exploiting an authenticated user's session)
• Path traversal — accessing files outside the web root via ../
• RFI/LFI (Remote/Local File Inclusion — including remote or local files via unfiltered parameters)

OWASP ModSecurity Core Rule Set

The OWASP ModSecurity CRS (Core Rule Set) is an open-source rule set for the ModSecurity WAF. It defines known attack signatures and detection heuristics. Rules assign a risk score to each request: if the score exceeds a threshold, the request is blocked. This scoring system allows fine-tuning the WAF's sensitivity.

Detection Mode vs. Blocking Mode

A WAF can operate in two modes. Detection mode (or audit mode) logs suspicious requests without blocking them — ideal for the initial calibration phase. Blocking mode actively blocks malicious requests. The transition should be gradual: overly aggressive rules generate false positives (blocking of legitimate requests). Managing false positives requires analyzing logs, identifying blocked legitimate patterns, and adding targeted exclusion rules.

Available Solutions

The WAF landscape covers several tiers:

• ModSecurity: open-source, integrates with Apache and Nginx, full control but manual configuration
• Cloudflare WAF: cloud solution, activatable in a few clicks, automatically managed rules, suited for sites without a dedicated security team
• AWS WAF: native to the Amazon Web Services ecosystem, per-request pricing
• Imperva: enterprise solution with support and advanced rules

Cloud WAFs (Cloudflare, AWS) are easier to deploy and benefit from automatic signature updates. On-premise WAFs offer more control but require internal expertise.

The Limits of a WAF

A WAF does not replace secure development. It cannot fix a vulnerability in application code — it can only attempt to block its exploitation. Flawed application logic (incorrect authorization, sensitive data exposure) often escapes the WAF. A WAF is a defense-in-depth layer, not a substitute for secure development practices.

Audit Your Site's Protection with TheSiteFuse

A site without a WAF is exposed to thousands of daily exploitation attempts. Run a free audit to assess your protection level, identify your attack surfaces, and receive concrete security recommendations.