A web application firewall (WAF) is a type of firewall that monitors, filters, and blocks data packets as they pass between a website and a web application. A WAF can be network-based, host-based, or cloud-based, and is frequently installed as a reverse proxy in front of one or more websites or apps.

Types of web application firewalls

Network-based WAFs 

Network-based WAFs are typically hardware-based and can reduce latency because they are installed locally on premises via a dedicated device as near to the application as possible. Most major network-based WAF solutions provide the replication of rules and settings over several appliances, allowing for large-scale deployment, configuration, and maintenance. The most significant disadvantage of this sort of WAF product is the expensive, there is an initial capital investment as well as ongoing operational costs for maintenance

Host-based WAFs

Host-based WAFs can be fully incorporated into the application code. The advantages of a host-based WAF solution include lower costs and more customization options. Host-based WAFs are difficult to manage since they require application libraries and rely on local server resources to function properly. As a result, extra staff resources, such as developers, system analysts, and DevOps/DevSecOps, may be required.

Cloud-hosted WAFs 

Cloud-hosted WAFs provide a low-cost solution for enterprises looking for a turnkey offering with little resources required for deployment and monitoring. Cloud WAFs are straightforward to deploy, offered on a subscription basis, and frequently require only a simple DNS or proxy update to divert application traffic. Although entrusting responsibility for filtering an organization's web application traffic to a third-party provider can be difficult, the technique allows applications to be protected across a wide range of hosting locations and uses comparable principles to protect against application layer threats. Furthermore, these third parties have access to the most recent threat intelligence and can assist in identifying and blocking the most recent application security threats.


A WAF has an advantage over traditional firewalls because it offers greater visibility into sensitive application data that is communicated using the HTTP application layer. It can prevent application layer attacks that normally bypass traditional network firewalls, including the following:

  • Cross-site scripting (XSS) attacks enable attackers to inject and execute malicious scripts in another user's browser.
  • Structured Query Language (SQL) injection attacks can affect any application that uses an SQL database and enables attackers to access and potentially change sensitive data.
  • Web session hacking enables attackers to hijack a session ID and masquerade as an authorized user. A session ID is normally stored within a cookie or Uniform Resource Locator (URL).
  • Distributed denial-of-service (DDoS) attacks overwhelm a network by flooding it with traffic until it is unable to serve its users. Both network firewalls and WAFs can handle this attack type but approach it from different layers.