Web Application Firewall (WAF)

A Web Application Firewall operates at the application layer (Layer 7 of the OSI model), sitting between users and the web application to inspect every HTTP request and response. Unlike traditional network firewalls that filter traffic based on IP addresses and ports, a WAF understands the structure of web traffic and can detect attacks embedded in seemingly legitimate HTTP requests.

WAFs can operate in several modes. In a positive security model (allowlist), only requests matching known good patterns are permitted. In a negative security model (denylist), requests matching known attack signatures are blocked. Most modern WAFs use a combination of both approaches, supplemented by anomaly detection and machine learning to identify unusual traffic patterns that may indicate novel attacks.

WAFs can be deployed in various architectures: as a network appliance, a cloud-based service (such as AWS WAF, Cloudflare, or Akamai), or as a host-based module (such as ModSecurity). Cloud-based WAFs have become increasingly popular due to their ease of deployment, scalability, and integration with CDN and DDoS protection services.

While WAFs provide valuable protection, they should not be considered a substitute for secure coding practices. They are best used as a defence-in-depth measure alongside input validation, output encoding, and other application-level security controls. Regular rule tuning is essential to minimise false positives while maintaining effective protection, and WAF rules should be updated as new attack techniques emerge.