Security lock

What is a Web Application Firewall (WAF)?

A web application firewall (WAF) protects web applications from cyberattacks and attacks on security vulnerabilities. The protection solution monitors traffic between clients and web servers and blocks malicious access before it reaches the server.


By using a web application firewall, organizations protect themselves against data theft, account takeover and sabotage. A WAF can also be used to secure legacy systems and address acute vulnerabilities.


Find out more about WAF protection solutions from Myra
Functionality WAF


Web Application Firewall (WAF): A Definition

The web application firewall is a form of application level firewall (ALF). Its special feature is the fact that, unlike a conventional firewall, it does not act at network and protocol level, but analyzes, filters and blocks HTTP data directly at application level.

Webmasters often use a WAF in combination with a conventional firewall. The two firewalls then take over the analysis of the communication between client and web server one after the other. In addition to HTML and HTTPS packets, a WAF can also analyze XML, RPC and SOAP data. The implementation of a WAF can be software or hardware-based.


How Does a Web Application Firewall (WAF) Work?

A WAF is part of a comprehensive security concept for web applications and protects against certain cyber attacks, including cross-site forgery and SQL injection. It forms a protective wall between the web application and the Internet. Clients that want to reach the web server must first pass through the web application firewall.

When analyzing data, the WAF follows defined rules, known as policies. They are used to filter out harmful traffic. These policies are constantly updated in order to be able to react to various forms of cyber attacks. Basically, there are blocklist and allowlist WAFs:

  • Blocklist WAFs are based on a negative security model and protect against known attacks. The firewall recognizes these attacks and prevents them.

  • Allowlist WAFs, on the other hand, pursue a positive security model. They only allow pre-approved traffic through.

In practice, many WAFs follow a hybrid approach of blocklist and allowlist for optimum security performance.


What Dangers Does a Web Application Firewall (WAF) Protect Against?

A web application firewall protects web applications against data theft, account takeover, malicious manipulation and sabotage. Among other things, organizations can protect themselves against the following attack patterns by using a WAF:

Cross-Site Request Forgery

With cross-site request forgery, attackers cause the user's browser to send manipulated HTTP requests to a website or web application in order to trigger unwanted actions.

Cross-Site Scripting (XSS)

In a cross-site scripting attack, cyber criminals inject malicious code into web applications by exploiting security vulnerabilities in order to steal sensitive information such as login data. Interactive websites and applications are particularly susceptible to this. As an upstream protective wall, a web application firewall prevents such malicious access.


With an SQL injection attack, cyber criminals specifically exploit security vulnerabilities to infiltrate manipulated commands or malicious code via input masks, for example. Dedicated rule sets allow WAF solutions to reliably detect and thwart injection attacks.

OWASP Top 10

The non-profit organization Open Web Application Security Project (OWASP) regularly compiles a list of the 10 biggest security problems for web applications. Many of the threats on this list can be addressed by a web application firewall.

Zero-Day Exploits

In the case of zero-day exploits, cyber criminals immediately use newly discovered software vulnerabilities such as Log4Shell or Confluence OGNL for their attacks. Adapted WAF rules offer immediate protection in such an acute threat situation until patches for the vulnerable software are available and applied.

04 - What Are the Advantages of Using WAF Security?

Companies that use a web application firewall on their website benefit from the following advantages:

Additional Security Layer for Web Applications

In combination with other security measures, an application level firewall provides an additional layer of protection against unauthorized access.

Closing Security Gaps in Multiple Applications

Webmasters can place a WAF in front of several applications at the same time. This procedure makes it possible to close existing security gaps.

Protection of Legacy Systems and Applications

Especially with software that has been in use for a significant period of time and has not been programmed internally, security vulnerabilities can persist for a long time. A WAF offers additional security here.


What Types of WAFs Are There?

There are three ways to set up a WAF architecture: Centralized as a network-based hardware appliance or virtual appliance, host-based directly on the web server, or a company uses a cloud SaaS solution. Depending on the type and deployment, the functionality and associated costs differ immensely.

Network-Based WAF

These web application firewalls are integrated into the network as hardware appliances or virtual appliances in front of or behind the web servers. The solutions offer high scalability and performance, but also require more bandwidth and a correspondingly high-performance infrastructure.

Host-Based WAF

Host-based web application firewalls are installed as software or modules directly on the same server on which the web application is hosted. They offer a high level of integration and control options, but also require more resources and high maintenance costs.

Cloud SaaS WAF

Numerous providers have developed software-as-a-service solutions for WAF use, which are hosted in the cloud and offer companies less internal effort while at the same time being highly flexible and cost-efficient. Configuration, maintenance and operation of a cloud web application firewall are carried out by the provider.



Against What Can an Application Level Firewall Not Protect?

A WAF does not offer total protection, but should always be part of a comprehensive security concept. The following threats cannot be defended against by an application level firewall:

  • Attacks via protocols outside the application level such as DNS, SMTP, Telnet, RDP, SSH or FTP are not identifiable for a WAF solution.

  • DDoS attacks that use malicious traffic to overload web applications and the underlying web infrastructure can only be partially intercepted by a WAF. Dedicated DDoS protection solutions at network, protocol and application level, on the other hand, offer reliable protection.

  • Logic errors in the web applications themselves can lead to unwanted reactions and can be exploited by cyber criminals. Such conceptual programming errors are not recognized by an application level firewall.

Code on a laptop screen


Which Companies Need a WAF?

In principle, companies in all industries that have business-critical websites, online portals or web APIs benefit from the use of a cloud WAF. In addition, the use of a WAF is mandatory for companies that offer the option of credit card payment on their website in accordance with the PCI DSS standard. This applies to many e-commerce merchants, for example. Furthermore, other regulatory frameworks such as the NIS-2 directive also require companies to secure their systems using state-of-the-art technology - in many cases, this is likely to include a WAF to secure critical online applications.

In addition, many organizations that use agile development methods rely on WAFs, as any errors in development are mitigated by firewall protection.


What Do Companies Need to Consider When Using a WAF?

A web application firewall is only as good as its filters and configuration. If you make a mistake here or are too restrictive, you can expect problems. Therefore, managing a WAF requires appropriate IT security specialists who have the resources available to take over the ongoing management of the firewall. Companies that cannot guarantee this internally rely on SaaS solutions from external providers to take over the administrative work.

Code on a laptop screen


Web Application Firewall (WAF): What You Need to Know

A web application firewall is an important factor in a comprehensive security concept for the company website, business-critical online portals and APIs. The security solution monitors traffic directly at the application level. The solution checks incoming requests and responses from the web server for suspicious patterns. Requests classified as malicious are blocked by the WAF – this ensures that the applications are protected without the need for any adjustments to the application itself.

The Web Application Firewall protects websites from attacks that occur via the Hypertext Transfer Protocol (HTTP/S). These include risks from the OWASP Top 10, zero-day exploits, SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), file inclusion and directory traversal.

To ensure smooth operation, the WAF provider must adapt the security solution to the existing web applications. This is the only way to rule out performance or security problems and complete failures in advance.

The Myra Hyperscale WAF protects your content and applications and integrates seamlessly into your existing IT infrastructure.

Learn more about the Myra Hyperscale WAF

Deep Dive WAF IT-Security