What are Web Application Firewalls? Definition & Usage

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader

A web application firewall, or WAF, protects your web applications against common attacks. A WAF isn’t a standalone security solution, as it’s often used in concert with other tools (such as traditional firewalls). But a WAF can help save time when your app is under threat.

What is a WAF?

A web application firewall, or WAF, is designed to shield your web application from outside threats. 

What is a web app? Everything from the social media site you visit to the email program you use is programmed and delivered on an app. As you might imagine, these programs are very attractive to hackers. They'd like to get into all of the data stored within an app. A WAF makes hacking harder. 

A WAF can be a physical appliance (like a server) or a virtual tool (like a cloud). It's installed between your app and the internet, and it inspects traffic moving in and out. A WAF can:

  • Control. Security rules you design and implement determine traffic movement. 
  • Block. Customized rules filter out traffic you deem dangerous. 
  • Protect. Rules help you eliminate traffic that could spark attacks. 
  • Complete. A WAF works in concert with your other security tools. 

Companies started using WAFs in the late 1990s. Now, most organizations with web apps can't live without them.

How can a WAF help you?

Most companies are under attack, but some never know it. About 91 percent of all attack incidents don't generate an alert. A WAF may help. 

A WAF can help enhance protection because it:

  • Updates. You can create a rule and implement it quickly without impacting your incoming traffic. As soon as the rule goes live, the traffic changes. 
  • Learns. Use rules created by a vendor, and you could make changes based on attacks by others. For example, OWASP keeps a top 10 list of the most critical security risks for web applications. Pre-built rules could help you improve security based on that research. 
  • Manages. Filter traffic going both in and out of your app. Don't worry about training your staff—use rules instead. 

Let's dig into common attacks. These are some of the most common vectors companies face:

  • Cross-site scripting. The hacker targets other users, and with control, that person gains access to sensitive data. 
  • Cross-site request forgery. The hacker forces a user to do something on the app that the person doesn't want to do. 
  • Information leakage. The hacker gets access to sensitive data. 
  • Broken access control. Once again, a hacker gets access to data that should be protected. 
  • SQL injection. A hacker puts malicious code inside of an app. 

If you're worried about any of these attacks, a WAF could be right for you. How does WAF work?

A WAF sits between the web app and the internet. It looks over the traffic passing both into and out of a server. WAFs are sometimes described as shields. 

A WAF can be set up with:

  • Blocklists. Developers identify characteristics of known attacks. Any traffic meeting those models is blocked. 
  • Allowlists. Developers identify healthy, natural traffic. Any traffic that doesn't meet those models is blocked. 
  • Hybrids. Some companies blend the rules to protect their assets. 

You could implement a WAF on a:

  • Network. Hardware sitting inside your building protects your web app.
  • Host. A WAF could be integrated within your software. 
  • Cloud. A WAF could come from a cloud vendor that implements it on your network edge. 

WAF security is ongoing, so this isn't a set-it-and-forget-it plan. Teams must update rules, and monitoring is critical. You may spot something in Monday's traffic that needs fixing on Tuesday. 

But a WAF can be adjusted and amended very quickly, so you can put those rules to work almost immediately. For companies running lean and mean, this could be ideal.

If you're looking for more solutions to keep data secure, think about a firewall. This blog post tells you more about what they are and how they work.  


Web Apps Are Only Getting Better. (April 2018). The Verge

How Long Does It Take to Detect a Cyber Attack? (March 2019). IT Governance. 


Introduction to Hacking Web Applications. (May 2019). Medium.