• Identity 101
  • What are Web Application Firewalls? Definition & Usage

What are Web Application Firewalls? Definition & Usage

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader
Read more
Updated: 10/04/2024 - 5:56
Time to read: 4 minutes

A web application firewall, or WAF, protects your web applications against common attacks. A WAF isn’t a standalone security solution, as it’s often used in concert with other tools (such as traditional firewalls). But a WAF can help save time when your app is under threat.

What is a WAF?

A web application firewall, or WAF, is designed to shield your web application from outside threats. 

What is a web app? Everything from the social media site you visit to the email program you use is programmed and delivered on an app. As you might imagine, these programs are very attractive to hackers. They'd like to get into all of the data stored within an app. A WAF makes hacking harder. 

A WAF can be a physical appliance (like a server) or a virtual tool (like a cloud). It's installed between your app and the internet, and it inspects traffic moving in and out. A WAF can:

  • Control. Security rules you design and implement determine traffic movement. 
  • Block. Customised rules filter out traffic you deem dangerous. 
  • Protect. Rules help you eliminate traffic that could spark attacks. 
  • Complete. A WAF works in concert with your other security tools. 

Companies started using WAFs in the late 1990s. Now, most organisations with web apps can't live without them.

How can a WAF help you?

Most companies are under attack, but some never know it. About 91 per cent of all attack incidents don't generate an alert. A WAF may help. 

A WAF can help enhance protection because it:

  • Updates. You can create a rule and implement it quickly without impacting your incoming traffic. As soon as the rule goes live, the traffic changes. 
  • Learns. Use rules created by a vendor, and you could make changes based on attacks by others. For example, OWASP keeps a top 10 list of the most critical security risks for web applications. Pre-built rules could help you improve security based on that research. 
  • Manages. Filter traffic going both in and out of your app. Don't worry about training your staff—use rules instead. 

Let's dig into common attacks. These are some of the most common vectors companies face:

  • Cross-site scripting. The hacker targets other users, and with control, that person gains access to sensitive data. 
  • Cross-site request forgery. The hacker forces a user to do something on the app that the person doesn't want to do. 
  • Information leakage. The hacker gets access to sensitive data. 
  • Broken access control. Once again, a hacker gets access to data that should be protected. 
  • SQL injection. A hacker puts malicious code inside of an app. 

If you're worried about any of these attacks, a WAF could be right for you. How does WAF work?

A WAF sits between the web app and the internet. It looks over the traffic passing both into and out of a server. WAFs are sometimes described as shields. 

A WAF can be