New: EU CAPTCHA – GDPR-compliant bot protection. Try it free for 3 months!
Home>
Web application firewall (WAF)
03
What Dangers Does a WAF Solution Protect Against?
A web application firewall shields web apps from data theft, account takeover, malicious tampering, and sabotage. Organizations can defend against these attack patterns with an application level firewall:
Cross-Site Scripting (XSS)
In a cross-site scripting attack, cyber criminals add harmful code to web apps. They exploit security flaws to steal sensitive information, like login details. Interactive websites and applications are particularly susceptible to this. As an upstream protective barrier, a web application firewall prevents such malicious access.
SQL Injection
Cyber criminals use SQL injection attacks to exploit security vulnerabilities. They inject manipulated commands or malicious code, for example through input fields. Dedicated rule sets allow WAF solutions to reliably detect and block injection attacks.
OWASP Top 10
The non-profit organization Open Web Application Security Project (OWASP) periodically compiles a list of the top 10 security risks for web applications. Many of the threats included in the OWASP Top Ten can be addressed by a web application firewall.
Zero-Day Exploits
Cyber criminals quickly exploit newly discovered software vulnerabilities to launch attacks. Customized WAF rules provide immediate protection against these urgent threats. This helps until patches for the vulnerable software are ready and installed.
04
What Types of WAFs Are There?
You can set up a WAF architecture in three ways:
Cloud SaaS WAF
Many providers offer software-as-a-service (SaaS) solutions for web application firewalls. These cloud-hosted options reduce internal effort for companies and offer high flexibility and cost-efficiency, as they do not require any additional software or hardware. With a Managed WAF, the provider handles configuration, maintenance, and operation of the cloud firewall.
Host-Based WAF
Host-based web application firewalls are software or modules. They run on the same server as the web application. They offer a high level of integration and control options, but also require more resources and high maintenance costs.
On-Premises WAF
These web application firewalls can be hardware or virtual appliances. They sit in front of or behind web servers. These solutions provide high scalability and performance. However, they need more bandwidth and a strong infrastructure.
Direct Comparison of WAF Types
Cost | Typically low upfront costs; ongoing operating costs depend on traffic/features | Often low initial costs, but higher internal operating expenses | High Often a 5- to 6-figure investment |
Operating Expenses | Moderate Minimal for Managed WAF | Medium Requires in-house IT | High Requires a dedicated team |
Scalability | Elastic | Limited Server-dependent | Limited elasticity Scaling typically via hardware expansion |
Time-to-Protect | Minutes/hours No additional software or hardware required | Days Installation & configuration | Often weeks Delivery + Rack + Configuration |
Rule Updates | Often automatic via provider | Manual Requires in-house maintenance | Manual Often delayed |
GDPR Compliance | High Can be ensured by provider selection | High Data remains in-house | High Full data sovereignty |
BSI / NIS-2 / DORA / etc. | Covered Choose a certified provider | Covered Supports requirements, but not sufficient on its own | Covered Supports requirements, but not sufficient on its own |
Target audience | SMEs & Enterprise & critical infrastructure Wide applicability | Organizations with their own operational and security expertise | Enterprise & critical infrastruture |
05
Which Companies Need a WAF?
Any company that operates a web application through which user data flows. But let’s address the most important misconception first:
“We’re too small to be a target” – this is the most dangerous misconception in IT security. Automated attack tools scan the entire internet, regardless of company size. According to the BSI 2025 Situation Report, an average of 119 new vulnerabilities were reported each day during the reporting period from July 1, 2024, to June 30, 2025—an increase of approximately 24 percent compared to the previous year. The crucial question is therefore not “How big are we?”, but: “What happens if our web application is compromised?”
Industries with increased protection needs
Financial service providers & banks
Online banking and brokerage platforms under constant attack
BaFin and BSI "IT-Grundschutz" make security measures effectively mandatory
Typical attacks: session hijacking, API abuse, account takeovers
Healthcare
Patient portals process particularly sensitive GDPR data
Significant risk of fines in the event of a data breach
Typical attacks: Ransomware preparation, data retrieval via insecure APIs
Public Administration & KRITIS
NIS-2 and BSI Act make WAF deployment mandatory for many institutions
Government agencies are increasingly the target of politically motivated attacks
Typical attacks: Layer 7 DDoS, defacement, data breaches
E-commerce & Retail
Highly attractive target due to the processing of payment and address data
PCI-DSS requires technical security measures at the application level
Typical attacks: credential stuffing, skimming, bot attacks
When is a WAF required by law?
PCI-DSS v4.0 | All companies accepting credit card payments | Requirement 6.4.1: WAF or documented alternative process |
NIS-2 | Critical and important facilities in the EU | Technical protective measures for web applications are mandatory |
DORA | Banks, insurance companies, payment service providers, crypto providers + their ICT service providers | WAF recommended as a technical protective measure under Art. 9 – mandatory as of Jan. 2025 |
BSI IT-Grundschutz | Recommendation for all with exposed web applications | Module APP.3.1 explicitly recommends WAF |
GDPR | All entities processing personal data | Technical and organizational measures (Art. 32) |
06
What Should I Look for When Comparing Providers?
The WAF market can be confusing. The criteria below are designed to help you compare offers in a structured way – and distinguish reliable providers from those that only look good on paper.
Security Quality
OWASP Top 10: Does it cover the most critical vulnerability categories – including SQL injection, XSS, and zero-day exploits?
Bidirectional filtering: Does the web application firewall inspect both incoming requests and outgoing responses?
Scalability: Can the solution process hundreds of millions of HTTP requests per second – without latency issues?
Proven effectiveness: Are there measurable metrics from production operations – e.g., blocked attacks per customer per year?
Integration & Operations
No additional hardware: Can the WAF be integrated into existing infrastructure without new hardware or software?
API protection: Does the solution also protect modern APIs – not just traditional web applications?
Managed service: Is there an option to hand over rule maintenance and configuration to the provider’s security experts?
Onboarding speed: Is the solution ready for use quickly – ideally via DNS redirection without any installation effort?
Compliance & Certifications
BSI Qualification: Does the provider meet all BSI criteria for qualified security service providers – relevant for critical infrastructure and public sector clients?
ISO 27001 (BSI "IT-Grundschutz"): Does the provider operate its own ISMS certified under BSI "IT-Grundschutz"?
BSI C5 Type 2: Is there a current C5 certificate available – the gold standard for cloud security in Germany?
Data center location: Are all data and infrastructure located exclusively in Germany or the EU – without any possibility of U.S. access?
Compliance coverage: Can the provider document how its solution specifically supports NIS-2, DORA, PCI-DSS, and GDPR?
Support & SLA
Availability SLA: Does the provider guarantee a service availability of 99.9% or higher?
Response time: Do automated defense measures kick in within one second?
24/7 Security Operations Center (SOC): Is a dedicated SOC available around the clock?
NPS as a quality indicator: Does the provider have a measurable Net Promoter Score that demonstrates customer satisfaction?
Quick checklist for evaluation
Is the solution ready for use without hardware installation?BSI certification and C5 Type 2 compliance verified?Data centers located exclusively in Germany / the EU?SLA for availability agreed upon in writing?Managed WAF service available as an option?Compliance coverage for NIS-2, DORA, PCI-DSS documented?24/7 SOC support with emergency contact?
WAF Security – Frequently Asked Questions (FAQ)
A traditional network firewall monitors traffic based on IP addresses and ports – it does not “understand” the content of the data packets. A web application firewall operates at the application layer (Layer 7) and analyzes the actual content of HTTP/S requests. This allows it to detect attacks such as SQL injection or XSS, which would be invisible to a traditional firewall.
About the author
Björn Greif
Senior Editor
About the author
Björn started his career as an editor at the IT news portal ZDNet in 2006. 10 years and exactly 12,693 articles later, he joined the German start-up Cliqz to campaign for more privacy and data protection on the web. It was then only a small step from data protection to IT security: Björn has been writing about the latest trends and developments in the world of cybersecurity at Myra since 2020.