The technology world is full of jargon and acronyms and funny words. In this Tech Speak series, we try to explain these in simple terms as well as provide additional information if you want to go deeper.

Term: Web Application Firewall

Acronym: WAF

Oneliner: A WAF or Web Application Firewall is security software that protects a website by filtering and blocking harmful web traffic such as cyberattacks.

Short description: Website owners want to keep their websites safe and secure. One security measure that can be used is a Web Application Firewall (WAF). A WAF is like a “digital security guard” for your website. It looks at the incoming web traffic and filters out anything that looks suspicious or harmful. A Web Application Firewall can keep your website more secure and provide a smoother experience for your users.

Example use case: I’m a website owner for a small online chocolate store. It’s gotten very popular and the amount of traffic is substantial. I created a TikTok that links to the store that went viral and gained a lot of attention. As a result, I’m starting to see suspicious accounts getting created in my online store. I’m worried the site might get hacked. This is a good time to consider adding a WAF, before any issue actually happens. I research WAFs and add one and check the account logs for the next couple weeks. Now I’m not seeing any funny-looking accounts being created. The WAF seems to be working well. I check the WAF logs and see that it is indeed blocking suspicious activity.

Example WAF providers: Quant, Akamai, AWS, Barracuda, Cloudflare, F5, Imperva

Keep in mind: Not all websites use a WAF. This is an optional service that may be offered by a website’s hosting provider or can be added through a different WAF service.

Why use a WAF?

There are many reasons why you might want to add a Web Application Firewall in front of your website. Improved security is especially important if you have any sensitive data or if your business will be negatively affected if the site goes down due to a cyberattack. Some key reasons include:

Web application protection: If your website is “dynamic” (for example, information is pulled from a database), hackers can use various techniques to get into your private systems. This can lead to unwanted access and other suspicious activities. A WAF can help defend the website against hacking.

Data breach protection: If you have sensitive information stored in your website like financial data, hackers can try to get access to that data. Similar to above, a WAF can keep these malicious people and bots out of your website.

DDoS attack protection: A “DDoS attack” is when hackers try to make a website unusable by overwhelming the website’s infrastructure. Your site might crash completely or might just be very slow. A WAF can defend against such an attack so your website users have a smooth experience.

Security compliance: Some governments and industries have security regulations that must be followed for organizations to be in compliance. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires “all public-facing web applications are protected against known attacks” which can be handled by using a WAF.

Security software integration: Some websites have additional security software they want to use such as an intrusion detection system (IDS), intrusion prevention system (IPS), and security information and event management system (SIEM). You can integrate your WAF with these other security systems for a more comprehensive security solution.

How does a WAF work?

We won’t go into the deep technical inner workings of a Web Application Firewall (WAF) but we will explain some of the general things it does in order to make websites more secure. Generally speaking, a WAF monitors web traffic and filters and blocks suspicious activity. Here are some aspects of how a WAF works.

Traffic inspection: A user requests a web page which goes through the WAF first. It will inspect the request to make sure it’s safe before sending it to the web server.

Anomaly detection: As part of traffic detection, the WAF must analyze the traffic with many different methods. One of these methods focuses on detecting unusual behavior or “anomalies”. When there is traffic that doesn’t follow typical patterns, it may indicate an attack.

Attack analysis: There are known attack patterns (see OWASP’s list of attacks for a long list!). WAFs create rules to identify these well-understood attacks and vulnerabilities.

Traffic blocking: During traffic inspection, if the WAF finds that there is suspicious activity, it will block that traffic from getting to the website.

IP address lists: You can also add IP addresses to a “block list” if there are specific users you want to block and you have their IP addresses. And, conversely, you can add IP addresses to an “allow list” if you want to make sure that certain users are never blocked.

Custom rules: Many WAFs allow you to create custom rules for enhanced security. For example, you might want to block users by country (geoblocking) or during certain days or times. You might also want to limit file uploads and protect certain URLs. These are just some examples of custom rules.

Logs and reports: The WAF logs all traffic and any actions it takes such as blocking suspicious traffic. This information can be reviewed to better understand your web traffic and security concerns. 

Security software integration: You can integrate your WAF with other security systems as mentioned above (e.g. IDS, IPS, and SIEM) for a broader security solution.

How do I find a WAF service?

Finding a Web Application Firewall service that is right for your website and organization depends on various factors such as user locations, desired features, amount of website traffic, and your budget. Here are some steps you can follow to find a WAF for your website:

Understand your requirements: What security concerns do you have? How much traffic do you get monthly and yearly? Do you get traffic spikes? Do you store sensitive information? Are you worried about malicious website attacks affecting your business? Do you have to comply with any specific security regulations? How much can you afford? These are some of the questions that you need to answer.

Research WAF providers: Make sure to check with your hosting provider as well as other standalone WAF options. Look at pricing, features, and customization. Create a short list of ones that you may want to test out.

Compare apples to apples: It can be tricky sometimes to understand the pricing of WAFs and what features you are getting for different price points. Do you get customer support? If you are on a free or very cheap plan, then maybe not. Usage-based pricing can be even trickier so make sure you understand your traffic patterns and spikes as well as data footprint for these calculations. Go through your short list and compare them.

Test them out or get demos: Some WAFs have a free plan or a free trial. If you are super adventurous, you can try out on your production website but we’d strongly recommend testing on a development site first if possible. If necessary, use the company’s customer support if you get stuck. Hopefully it’s easy to add the WAF service to your test website and to check the logs. If there isn’t a free trial, you might be able to request a free demo from the sales team.

Try one option longer term: Once you are past your trial period or you’ve gone through all the demos, pick whichever one you think is best but don’t stress too much. It’s usually not that hard to set up a WAF, so you can always switch later! Monitor your experience and the experience of your users and see if you want to commit or switch. Make sure you are checking your logs carefully, particularly the first few weeks after you add the WAF. You don’t want to block any good traffic.

WAF Resources

Learn more about Web Application Firewalls and related concepts by checking out these resources:

About QuantCDN

Quant is a global static edge; a CDN & WAF combined with static web hosting. We provide solutions to help make WordPress and Drupal sites static, as well as support for all popular static site generators.