A web application firewall (WAF) protects web applications. It sits between the internet and a web application to filter and monitor HTTP traffic and serve as a security policy enforcement point. They are deployed in front of web applications and analyze bi-directional web-based (HTTP) traffic, detecting and blocking anything malicious. WAFs protect web applications from attacks such as cross-site request forgery (CSRF), cross-site scripting (XSS), SQL injection, and many others.
What are the limitations of a WAF?
As an open systems interconnection (OSI) layer 7 defense mechanism against application-layer attacks, a WAF can only protect certain aspects of a website. For example, they protect services that user-facing web applications apply to collect, store, and utilize data. However, since WAFs are unable to detect sophisticated malware; manipulated, vulnerable, or sideloaded JavaScript code; or data exfiltration, they cannot protect the browser-level user interface itself. WAFs are not able to detect and protect businesses from:
- Sophisticated skimming malware
- Drive-by skimming and supply chain attacks
- Sideloading and chainloading attacks
Can WAFs protect from all client-side threats?
No. A WAF will protect the connection between your servers and your customers, but the protection ends there. Web application firewalls can’t monitor or protect your business from browser-level threats outside of your security perimeter.
How do they work?
Web application firewalls use policies that filter out malicious traffic that could threaten the web application. WAFs act like a reverse proxy. They protect the server from attack by filtering the clients before they reach the server.
Where can I learn more?
You can learn more about WAFs in our blog post Everything You Need to Know About Web Application Firewalls. Also, check our our new e-book The Ultimate Guide to Client-Side Security to better understand WAFs, how they work, their limitations, and whether they’re right for your business.
