Security lock

What is a web application firewall?

A web application firewall (WAF) protects web applications against cyberattacks. It analyzes traffic between clients and web servers and monitors, filters and blocks inbound and outbound traffic.

Need a WAF provider? Read more about the Myra Hyperscale WAF
Functionality WAF


A definition of web application firewall (WAF)

A web application firewall is a type of application level firewall (ALF). Its distinctive feature is the fact that, unlike a conventional firewall, it does not act at the network and protocol level, but analyzes, filters and blocks HTTP data directly at the application level.

Webmasters often use a WAF in combination with a conventional firewall. The two firewalls then assume the analysis of the communication between client and web server in succession. In addition to HTML and HTTPS packets, a WAF can also analyze XML, RPC and SOAP data.

A WAF can be implemented on a software or hardware basis.


How does a web application firewall (WAF) work?

A WAF is part of a comprehensive security concept for web applications and protects against specific cyberattacks, including cross-site forgery and SQL injection. It forms a protective wall between the web application and the internet. Clients wanting to access the web server must first pass through the web application firewall.

In its analysis of data, the WAF follows defined rules, known as policies. They filter out malicious traffic. These policies are continually updated to respond to different forms of cyberattacks. There are basically blacklist and whitelist WAFs:

  • Blacklist WAFs are based on a negative security model and protect against known attacks. The firewall detects these attacks and blocks them.

  • Whitelist WAFs, on the other hand, pursue a positive security model. They only let through traffic that has been approved in advance.

In practice, many WAFs follow a hybrid blacklist and whitelist approach for optimal security performance.


Against which threats does a web application firewall (WAF) provide protection?

Attacks a web application firewall (WAF) protects web applications against include:

Cross-site request forgery

These cyberattacks can affect all websites and web applications that require a user login to perform a specific action. They cause the user’s browser to send HTTP requests to the website to trigger undesirable actions.

Cross-site scripting (XSS)

In most cases, cross-site scripting is a code injection attack on the user side. Hackers insert unwanted code when loading a web page. Interactive websites and applications are particularly vulnerable to this.

SQL injection

In an SQL injection attack, cybercriminals use an SQL query field to transfer additional undesirable information.

OWASP Top 10

The Open Web Application Security Project (OWASP) is a non-profit organisation that periodically compiles a list of the top ten security issues related to web applications. The most important entries of the last few years include:

  • Broken authentication

  • Sensitive data exposure

  • XML external entities (XXE)

  • Broken access control

  • Security misconfiguration

  • Insecure deserialization

  • Using components with known vulnerabilities

  • Insufficient logging & monitoring


What are the benefits of using a WAF?

Companies that use a web application firewall on their website benefit from the following:

Additional level of security

In combination with other security measures, a WAF offers an additional level of protection against unauthorized access.

Mitigation of security vulnerabilities in multiple applications

Webmasters can put up a WAF in front of several applications simultaneously. This approach makes it possible to mitigate existing vulnerabilities.

Protection of legacy systems and applications

Especially with software that has been in use for a long time and was not programmed in-house, security vulnerabilities can persist for a long time. A WAF provides additional security for this.


What types of WAFs are there?

There are three ways to build a WAF architecture: centralized as an appliance WAF, host-based directly on the web server, or a company using a Cloud SaaS solution.

Appliance WAF

Appliance WAFs are usually located directly behind a network firewall and in front of web servers. They analyze all of the traffic passing through them. Thus, this type of web application firewall takes a centralized approach. In this architecture, a single component often protects a number of web applications. The high performance needs to do this are reflected in the hardware requirements.

Host-based WAF

These web application firewalls are installed directly on each web server. They can also be centrally controlled using a central management console.

Cloud SaaS WAF

Numerous providers have developed Software-as-a-Service solutions for WAF. These solutions are hosted in the Cloud and generally mean less in-house effort for companies because the provider handles the administration of the WAF.



Against which threats can a web application firewall (WAF) not provide protection?

A WAF does not offer all-round protection, but should always be part of a comprehensive security concept.

  • There are vulnerabilities against which a WAF is ineffective. It also does not protect against malware already on the network. Consequently, companies should also take appropriate protective measures in-house.

  • Hackers are well aware of ways to circumvent web application firewalls, such as HTTP request smuggling. Additional protection is also required here.

  • The management of the filter settings requires a lot of expertise. If the filters are set to be too loose or too tight, the WAF will not work the way the company needs it to work.

  • JavaScript and other active web content are currently not supported by many web application firewalls.

  • An effective WAF can lure developers into being less vigilant. When in doubt, assuming that the firewall provides the necessary protection may even lead to a higher number of vulnerabilities in the application.

Code on a laptop screen


What companies need a WAF?

The use of a web application firewall is mandatory for companies offering a credit card payment option following the PCI-DSS standard on their website. This applies, for example, to eCommerce retailers.

In addition, many companies employing agile development methods rely on WAFs because any errors in development are mitigated by firewall protection.


What should companies consider when using a WAF?

A web application firewall is only as good as its filters and configuration. Anyone who makes a mistake or is too restrictive should expect to see some problems. This is why the management of a WAF requires experts who have the resources available to handle the day-to-day management of the firewall.

Companies that cannot guarantee this in-house rely on SaaS solutions from external providers, who handle the administrative work.

Code on a laptop screen


Web application firewall (WAF): What you need to know

A web application firewall is an important factor in a comprehensive security concept for the company website, but should always be accompanied by additional security measures. Since the configuration of the filters is crucial for a good WAF, maintenance entails a certain amount of effort, and a company must also have the appropriate experts available.

The Myra Hyperscale WAF protects your content and applications and integrates seamlessly into your existing IT infrastructure.

Learn more about the Myra Hyperscale WAF​