Select Page

What is a web application firewall?

A web application firewall (WAF) protects web applications against cyberattacks. It analyzes traffic between clients and web servers and monitors, filters and blocks inbound and outbound traffic.

Reading Time: .

At one


A definition of web application firewall (WAF):

A web application firewall is a type of application level firewall (ALF). Its distinctive feature is the fact that, unlike a conventional firewall, it does not act at the network and protocol level, but analyzes, filters and blocks HTTP data directly at the application level.

Webmasters often use a WAF in combination with a conventional firewall. The two firewalls then assume the analysis of the communication between client and web server in succession. In addition to HTML and HTTPS packets, a WAF can also analyze XML, RPC and SOAP data.

A WAF can be implemented on a software or hardware basis.


How does a web application firewall (WAF) work?

A WAF is part of a comprehensive security concept for web applications and protects against specific cyberattacks, including cross-site forgery and SQL injection. It forms a protective wall between the web application and the internet. Clients wanting to access the web server must first pass through the web application firewall.

In its analysis of data, the WAF follows defined rules, known as policies. They filter out malicious traffic. These policies are continually updated to respond to different forms of cyberattacks. There are basically blacklist and whitelist WAFs:

  • Blacklist WAFs are based on a negative security model and protect against known attacks. The firewall detects these attacks and blocks them.
  • Whitelist WAFs, on the other hand, pursue a positive security model. They only let through traffic that has been approved in advance.

In practice, many WAFs follow a hybrid blacklist and whitelist approach for optimal security performance.


Against which threats does a web application firewall (WAF) provide protection?

Attacks a web application firewall (WAF) protects web applications against include:

Cross-site request forgery:

These cyberattacks can affect all websites and web applications that require a user login to perform a specific action. They cause the user’s browser to send HTTP requests to the website to trigger undesirable actions.

Cross-site scripting (XSS):

In most cases, cross-site scripting is a code injection attack on the user side. Hackers insert unwanted code when loading a web page. Interactive websites and applications are particularly vulnerable to this.

SQL injection:

In an SQL injection attack, cybercriminals use an SQL query field to transfer additional undesirable information.

The OWASP top ten:

The Open Web Application Security Project (OWASP), a non-profit organization, has compiled a list of the ten most virulent web application security problems. In addition to those mentioned above, these include:

  • Broken authentication
  • Sensitive data exposure
  • XML external entities (XXE)
  • Broken access control
  • Security misconfiguration
  • Insecure deserialization
  • Using components with known vulnerabilities
  • Insufficient logging & monitoring

What are the benefits of using a WAF?

Companies that use a web application firewall on their website benefit from the following:

Additional level of security:

In combination with other security measures, a WAF offers an additional level of protection against unauthorized access.

Mitigation of security vulnerabilities in multiple applications:

Webmasters can put up a WAF in front of several applications simultaneously. This approach makes it possible to mitigate existing vulnerabilities.

Protection of legacy systems and applications:

Especially with software that has been in use for a long time and was not programmed in-house, security vulnerabilities can persist for a long time. A WAF provides additional security for this.


What types of WAFs are there?

There are three ways to build a WAF architecture: centralized as an appliance WAF, host-based directly on the web server, or a company using a Cloud SaaS solution.

Appliance WAF

Appliance WAFs are usually located directly behind a network firewall and in front of web servers. They analyze all of the traffic passing through them. Thus, this type of web application firewall takes a centralized approach. In this architecture, a single component often protects a number of web applications. The high performance needs to do this are reflected in the hardware requirements.

Host-based WAF

These web application firewalls are installed directly on each web server. They can also be centrally controlled using a central management console.

Cloud SaaS WAF

A large number of providers have developed Software-as-a-Service solutions for WAF. These solutions are hosted in the Cloud and generally mean less in-house effort for companies because the provider handles the administration of the WAF.


Against which threats can a web application firewall (WAF) not provide protection?

A WAF does not offer all-round protection, but should always be part of a comprehensive security concept.

  • There are vulnerabilities against which a WAF is ineffective. It also does not protect against malware already on the network. Consequently, companies should also take appropriate protective measures in-house.
  • Hackers are well aware of ways to circumvent web application firewalls, such as HTTP request smuggling. Additional protection is also required here.
  • The management of the filter settings requires a lot of expertise. If the filters are set to be too loose or too tight, the WAF will not work the way the company needs it to work.
  • JavaScript and other active web content are currently not supported by many web application firewalls.
  • An effective WAF can lure developers into being less vigilant. When in doubt, assuming that the firewall provides the necessary protection may even lead to a higher number of vulnerabilities in the application.

What companies need a WAF?

The use of a web application firewall is mandatory for companies offering a credit card payment option following the PCI-DSS standard on their website. This applies, for example, to eCommerce retailers.

In addition, many companies employing agile development methods rely on WAFs because any errors in development are mitigated by firewall protection.


What should companies consider when using a WAF?

A web application firewall is only as good as its filters and configuration. Anyone who makes a mistake or is too restrictive should expect to see some problems. This is why the management of a WAF requires experts who have the resources available to handle the day-to-day management of the firewall.

Companies that cannot guarantee this in-house rely on SaaS solutions from external providers, who handle the administrative work.


Web application firewall (WAF): What you need to know

A web application firewall is an important factor in a comprehensive security concept for the company website, but should always be accompanied by additional security measures. Since the configuration of the filters is crucial for a good WAF, maintenance entails a certain amount of effort, and a company must also have the appropriate experts available.

The Myra Hyperscale WAF protects your content and applications and integrates seamlessly into your existing IT infrastructure.

If you are interested in futher informations, we are willing to send you our product sheet for free

How to protect your web applications from dangerous attacks:

  • What are possible attack types on web applications?
  • What are the advantages of the Myra Web Application Firewall?
  • What features does Myra WAF offer?

New Field