Web Application Firewall (WAF)

A Web Application Firewall (WAF) is a security control positioned between external clients and web-facing application servers, filtering HTTP and HTTPS traffic to block exploits targeting application-layer vulnerabilities. This page describes the technical architecture of WAF systems, their classification types, the regulatory contexts in which they are mandated or recommended, and the service-sector decisions that govern their selection and deployment. WAF technology is distinct from traditional network-layer firewall controls and addresses a threat surface those controls cannot reach.

Definition and scope

A WAF operates at OSI Layer 7 — the application layer — inspecting request and response payloads rather than packet headers or connection metadata. This distinguishes it from stateful packet inspection firewalls, which operate primarily at Layers 3 and 4, and from intrusion detection and prevention systems, which may inspect payloads but are not purpose-built for HTTP semantics.

The Payment Card Industry Data Security Standard (PCI DSS), maintained by the PCI Security Standards Council, mandates either a WAF or a formal code review process under Requirement 6.4 for any entity that stores, processes, or transmits cardholder data via a web application. The National Institute of Standards and Technology (NIST) addresses application-layer filtering in SP 800-41 Rev. 1, "Guidelines on Firewalls and Firewall Policy," which classifies application-layer gateways as a distinct firewall category with scope extending to protocol-specific filtering.

The threat surface a WAF addresses is codified by the OWASP Top Ten, a ranked list of critical web application security risks published by the Open Web Application Security Project. The OWASP Top Ten includes injection attacks (SQL, LDAP, OS command), cross-site scripting (XSS), security misconfiguration, and server-side request forgery (SSRF), all of which are handled at the HTTP payload level — beyond the reach of perimeter network controls alone.

How it works

WAF processing follows a sequential inspection pipeline applied to each HTTP transaction:

Traffic interception — The WAF sits inline (reverse proxy mode), in bridge/transparent mode, or as a passively sniffing out-of-band sensor. Reverse proxy deployment is the dominant model for cloud-delivered WAFs.
Request parsing — The engine decodes the HTTP request, normalizing encoding schemes (URL encoding, HTML entity encoding, Base64) to prevent obfuscation-based bypass.
Rule matching — Decoded request components (URI, headers, cookies, POST body) are compared against a ruleset. The most widely referenced open ruleset is the OWASP Core Rule Set (CRS), maintained by the OWASP CRS project and compatible with open-source engines such as ModSecurity.
Anomaly scoring — Modern WAFs accumulate a numeric score across matched rules rather than blocking on any single match. Requests exceeding a configured threshold are blocked or logged.
Response inspection — Outbound responses can be filtered to prevent data leakage (e.g., blocking responses that contain credit card patterns or stack trace output).
Action enforcement — Dispositions include block, allow, log, challenge (CAPTCHA), or rate-limit, applied per-rule or per-endpoint.

WAF deployment models divide into three architectural categories: on-premises appliance, cloud-delivered (CDN-integrated), and host-based (agent or module). Cloud-delivered WAFs, such as those operated by major CDN providers, route traffic through scrubbing infrastructure before it reaches origin servers — a model that also intersects with DDoS attack mitigation capabilities. Host-based WAFs run as server modules (e.g., ModSecurity as an Apache or Nginx module) and have lower latency but limited throughput at scale.

A WAF may operate in one of two detection modes: negative security model (block known-bad patterns, allow everything else) or positive security model (allow only known-good patterns, block everything else). Positive security models require a learning period to profile legitimate traffic and are common in enterprise deployments protecting stable, well-defined APIs. Negative models are faster to deploy but produce higher false-positive rates against novel attack patterns.

Common scenarios

WAF deployment arises across four primary operational contexts:

E-commerce and payment card environments — PCI DSS Requirement 6.4 drives WAF adoption among merchants and service providers. Retailers handling card-not-present transactions must protect checkout endpoints against SQL injection and skimming script injection.
Healthcare web portals — HIPAA Security Rule provisions under 45 CFR Part 164, enforced by the HHS Office for Civil Rights, require covered entities to implement technical safeguards against unauthorized access to electronic protected health information (ePHI) transmitted via web interfaces.
API gateway protection — REST and GraphQL APIs exposed to third parties are a primary target for injection and broken object-level authorization (BOLA) attacks, catalogued in the OWASP API Security Top 10. WAFs with API schema validation enforce OpenAPI specification conformance at the request level.
Federal agency web properties — NIST SP 800-53 Rev. 5, the control catalog referenced by the Federal Risk and Authorization Management Program (FedRAMP), includes control SC-7 (Boundary Protection) and SI-3 (Malicious Code Protection), both of which support WAF deployment as a compensating or primary control. Federal civilian agencies operating under FISMA are subject to these controls via agency Authority to Operate (ATO) processes.

WAF use also overlaps with cloud network security architectures, particularly when applications are hosted in public cloud environments where native WAF services are integrated into platform load balancers.

Decision boundaries

Selecting and scoping a WAF deployment involves four boundary conditions:

WAF vs. network firewall — A network firewall enforces access control at the transport layer and cannot inspect encrypted HTTP payloads or distinguish between a legitimate POST request and a SQL injection payload. A WAF is required when the threat model includes application-layer attacks regardless of whether a network firewall is present.

WAF vs. RASP — Runtime Application Self-Protection (RASP) instruments the application runtime itself rather than sitting externally. RASP can block attacks with greater context (it knows the execution state of the application) but requires code-level integration and cannot protect third-party or legacy applications without source access. WAFs protect without application modification.

Managed WAF service vs. self-operated — Managed WAF services maintained by security operations providers handle rule tuning, false-positive remediation, and signature updates. Self-operated deployments require dedicated staff with expertise in rule syntax (ModSecurity's SecLang, for example) and traffic profiling. Organizations without a dedicated network security monitoring capability typically lack the operational capacity to run a positive-security WAF without professional services.

Scope limitation — A WAF does not address vulnerabilities in application business logic, authentication flows, or client-side code. It does not replace penetration testing for networks or secure development practices. A WAF deployed without underlying code remediation creates a dependency on signature coverage — attacks unknown to the ruleset pass uninspected. NIST SP 800-95, "Guide to Secure Web Services," frames application-layer filtering as one layer in a defense-in-depth stack, not a standalone control.

References

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator