top of page

Web App Security: Understanding How a WAF Works and Factors to Consider When Choosing One

As cybersecurity expert Mark Nunnikhoven rightly said, "A WAF is a shield between your web app and the internet, helping to protect against attacks that target vulnerabilities in the application."

So as a CEO or start-up owner, understanding how a WAF works and its essential features is critical.

But to make the right choice of web application firewall, you must first know its meaning, how it works, the different types of web application firewalls, the basic features they must contain, and finally, the factors to consider before choosing a WAF.

Read this article to get answers to all your WAF-related questions.

What Is a Web Application Firewall (WAF)?

A web application firewall (WAF) is a security tool designed to protect web applications by monitoring and filtering incoming and outgoing traffic. It is said to be the first defense between a web app and internet traffic because it inspects HTTP traffic and blocks attacks, such as cross-site scripting (XSS), SQL injection, and cookie poisoning, among others. It uses machine learning algorithms and a set of rules to differentiate benign traffic from malicious ones and carries out a predefined action.

Additionally, a WAF can help you meet your industry's specific compliance requirements for web application security, ensuring you avoid fines or legal liabilities. Overall, a WAF is an important tool for protecting web applications against attacks and ensuring they are secure, available, and performing at their best.

Now, many people find it hard to differentiate the function of a web application firewall from that of a firewall; here's a brief explanation:

What Is the Difference Between a Web Application Firewall and a (Network) Firewall?

As discussed above, a web application firewall (WAF) is a specialized firewall focusing specifically on web traffic. It is designed to protect web applications from web-based attacks.

A web application firewall operates at application layer 7 and uses predefined or customized rules or machine learning to protect your app. And although it requires more expertise to configure, plus some of them can be expensive, it is one of the few web application security options that offer comprehensive protection against web-based attacks.

On the other hand, a firewall is a network security system that observes and regulates the flow of incoming and outgoing traffic based on predefined security rules. Its primary function is to block unauthorized access to a network or system while allowing legitimate traffic to pass through.

A firewall can be likened to a general-purpose security system that controls all traffic passing through the network layer (3 and 4). It filters traffic based on port and protocol and uses security rules to block and allow traffic. A firewall is easier to set up and manage and less expensive than a WAF. It distinguishes a protected network area from a less secure zone and monitors communications between them. It runs algorithms like packet-filtering algorithms, proxy algorithms, and stateless/stateful inspection algorithms.

How Does a WAF Work?

Web application firewalls can be software, hardware, or a standalone service deployed through the cloud. WAFs can be categorized into traditional and contemporary based on how they work.

Traditional WAFs are those web application firewalls that use rules and signatures to protect your web applications from specific threats. These rules can be predefined/managed or customized. The predefined rules are provided by the WAF vendor or a third-party organization and are designed to detect and block known web application attacks.

At the same time, customized rules are tailored to the specific requirements of an application or organization. They are usually created by a company's security team to address specific vulnerabilities or to provide additional protection beyond the predefined rules.

Generally, these WAF rules are based on common patterns and signatures used to identify attacks. Due to this ease of identification, traditional WAFs identify common web attacks well but sometimes fail to identify emerging threats. Meanwhile, when they mark an incoming request as suspicious, they either block, ask for re-authentication (aka CAPTCHA), or carry out other preconfigured actions, which differ with different WAF vendors.

On the other hand, contemporary WAFs like open-appsec WAF use machine learning and artificial intelligence to protect against known and unknown web-based attacks. While monitoring incoming requests to a web server, they compare the attributes of each request against billions of benign and malicious web request types from all over the internet. This helps them to identify if a request is legit or not.

open-appsec WAF uses behavioral analysis to prevent emerging attacks. If it's not sure if a request is legit or not, and to reduce the chance of false positives, it compares the request against the database of your web app's benign requests. And if something still smells fishy, it blocks or asks for re-authentication.

Are you looking for a way to block web attacks on your web apps before they happen? open-appsec uses two machine learning algorithms to continuously detect and preemptively block threats before they can do any damage. Our code has also been published on GitHub, and the effectiveness of our WAF has been successfully proven in numerous tests by third parties. Try open-appsec in the Playground today.

Types of WAF

1. Hardware-based and Appliance-based WAFs

A hardware-based WAF is a physically installed web application firewall that stands between a web server and the internet. They are fast, they minimize latency, and they offer high-performance web app security. They are also said to provide high security because they are separate from the server and web app; thus, they are less vulnerable to attacks.

One downside: to successfully scale a hardware-based WAF’s performance to accommodate more web traffic, you need to add more hardware or manually upgrade it. Also, they are more costly than their counterparts, need regular maintenance, and don't offer much customization flexibility.

On the other hand, an appliance-based WAF is a web application firewall that is installed on a dedicated server or appliance. It can be a physical or virtual device designed to run WAF software and installed on a dedicated server or as a virtual machine. Appliance-based WAFs are often more flexible and scalable than hardware-based WAFs, and they can be easier to manage.

Note: An appliance-based WAF can offer the same level of security and performance as a hardware-based WAF but may not have the same dedicated hardware resources as a hardware-based WAF.

2. Software-based or Host-based WAF

A software-based WAF is installed on a virtual machine or server, including the same server as the web application it protects. It runs on hardware located on-premises or in a data center, and its configuration and management are done through a graphical user interface or command-line interface. It is cost-effective, easy to deploy, and scalable.

Due to its increased attack surface and virtual network interfaces, a software-based WAF shares the vulnerabilities of the virtualization software that they use.

The terms "host-based WAF" and "software-based WAF" are often used interchangeably, but there can be some differences in their implementation and functionality.

“Host-based WAF” may be used to refer to a WAF installed on a single server, while “software-based WAF” may be used to refer to a WAF deployed across multiple servers or in a cloud environment.

3. Cloud-based or Network-based WAFs

A network-based WAF is offered by a third-party provider, while a cloud-based WAF is hosted and managed by a cloud service provider.

They are both very scalable and easy to manage, as all the management and configuration are done through a web-based console. They are also easy to deploy due to the lack of hardware and are often an affordable option because of their pay-as-you-go, annual, or monthly subscription models. Also, most network and cloud-based WAFs constantly share threat intelligence and update their database with new attack patterns to protect against emerging threats.

Conversely, cloud-based WAFs can introduce network latency because web traffic is redirected to the web server through the cloud provider's network (a longer route), resulting in slower response times for web requests. Also, many WAF users have questioned the wisdom of relying on cloud providers to protect sensitive information since no software is 100% secure.

Key WAF Features and Capabilities

There are different types of web application firewalls from different application vendors. Admittedly these web application firewalls use different web app security approaches; however, there are some basic features that all web application firewalls must have to be able to protect web apps successfully,

Here are some of them.

  • AI/ML traffic pattern analysis This web application firewall feature uses advanced analytical techniques to identify patterns and anomalies in your web app traffic. This process is popularly known as the “presence of the abnormal absence of the normal,” where a WAF analyzes and learns a web application's traffic, server logs, user behavior, etc. With this data, WAFs identify legit traffic patterns, which they, in turn, use to compare incoming traffic and easily detect anomalies. This feature is found in contemporary web application firewalls (like open-appsec WAF) and is useful for detecting emerging attacks. With this database, WAFs can easily detect real-time traffic pattern anomalies, even if they do not match a known malicious pattern.

  • Application profiling This is a WAF feature that analyzes the characteristics of a web application to create rules that can be used to identify and block attacks. Here a WAF examines the application's behavior, including the types of requests it receives, the responses it sends, the data it processes, and the sequence of events that occur during typical interactions to understand your web app's patterns and identify and block malicious traffic that deviates from the expected behavior.

  • DDoS protection Firstly, a DDoS (Distributed Denial of Service) attack is a harmful attempt to interfere with the normal traffic of a network or server by flooding it with a huge volume of traffic from multiple sources (a botnet). A DDoS attack aims to overwhelm the web server and make it unavailable to legitimate users. Therefore DDoS protection involves techniques used to defend against Distributed Denial of Service (DDoS) attacks. To prevent a DDoS attack, WAFs use a combination of rate limiting, traffic filtering, load balancing, and content-caching web app security techniques.

  • Bot mitigation Many people confuse DDoS protection with bot mitigation because both techniques protect web apps from attacks caused by bots. Where DDoS protection prevents multiple bot-generated traffic from overwhelming your server, bot mitigation defends your web app against malicious bots or automated programs that perform unauthorized activities such as scraping data, spamming, or launching credential stuffing attacks. A WAF's bot mitigation techniques usually involve analyzing the behavior of a web app's legit users and benign network traffic to identify and block malicious activity. Bot activity is normally repetitive, so it can be easily detected by a machine learning web application (like open-appsec WAF)

  • Content delivery network (CDN) A content delivery network (CDN) is a distributed server network that works together to deliver fast and reliable web content to end users. When used with a WAF, the CDN delivers static web content, such as images, scripts, and videos, while the WAF protects the web application and its dynamic content. The CDN helps to reduce the load on the WAF and the web server by caching the static content at edge locations closer to the end users. This results in faster static content delivery and less load on the WAF and the origin server.

  • Attack signature database An attack signature database is a collection of predefined patterns, rules, or signatures web application firewalls (WAFs) use to identify and block known web attacks. These signatures are developed based on the characteristics of known attacks and are designed to identify and prevent similar attacks from being successful. When a web application firewall is deployed, it analyzes incoming traffic to the application to identify potential threats or attacks. If an incoming request matches a signature in the attack signature database, the firewall will block or reject the request to prevent the attack from being successful. This database is primarily used to protect web apps against known attacks, but it is updated regularly (manually or automatically) to include new threats and vulnerabilities as they are discovered.

  • API discovery and protection An application programming interface (API) is a set of protocols, routines, and tools for building software applications. Its main function is to enable communication between the web application and external systems like mobile apps, other web applications, or third-party software. Therefore, API discovery and protection is a security feature that helps protect APIs from malicious attacks. A good WAF should be able to identify all APIs an application uses, including those not publicly exposed. After this, they use the results of this discovery to create rules to restrict unauthorized access to the APIs and prevent potential attacks.

  • Real-time traffic monitoring and analysis This is perhaps the most important web application firewall feature because, without it, WAFs might end up coming to the rescue of our web apps after the damage has been done. Real-time traffic monitoring is a web application firewall feature of continuous web traffic analysis and inspection to detect and block any malicious or suspicious behavior. With this feature, a WAF can quickly identify and block any malicious activity before it can cause harm to the web application or its users. To achieve this, a WAF can use rules, signatures, policies, machine learning, or all of them to identify and adapt to new threats quickly.

Web Application Firewall Weaknesses

It is a given that most web application firewalls do a good job protecting web apps from attacks. However, they are imperfect and have some weaknesses. One of their most popular cons is their complex maintenance.

This is especially seen in traditional web application firewalls that use rules and policies to identify malicious requests. To keep this type of WAF up to date, security teams have to constantly tune its rules to reflect changes in applications, emerging threats, or WAF updates. This process is time-consuming and requires skillsets that are often in short supply.

If, after a while, security teams are not able to keep up with the WAF maintenance, then comes the second con: false negatives.

In this context, a false negative is an error that occurs when a WAF incorrectly classifies a malicious request as legitimate and allows it to access the web server. It becomes a web application state of emergency when a deployed WAF cannot correctly identify a malicious request. To solve this, security teams tighten their WAF settings and security.

Thankfully, this usually solves the problem. However, it leads to another problem: a high number of false positives. A false positive is an error that occurs when a WAF incorrectly classifies a legitimate request as malicious and blocks it. To prevent this, you have to loosen your WAF settings and stand the risk of generating false negatives. And the cycle continues.

One last web application firewall weakness is high web latency.

Web latency is the delay or lag that occurs between a user's request for a web resource and the response they receive from the web server.

Because web application firewalls are located in front of a web app's server, all requests are directed to the WAF for monitoring and analysis, after which they are sent to the web server. Also, the result of the user's request is passed from the web server to the web application firewall before it gets to the user. This three-way route causes delay (web latency), especially if you're using a web application firewall that doesn't have a good Content Delivery Network.

Factors to Consider When Choosing a Web Application Firewall

Now that you know all the basic functionalities that you should expect from a web application firewall, below are some of the key factors that you should consider before choosing one:

  • Deployment: Here, you will choose between an on-premises WAF or a network-based (cloud-based) WAF.

  • Cost: Different WAF vendors have different pricing models. Ensuring that the WAF you choose is within your budget is essential.

  • Customization: Choosing a WAF that allows for easy customization is important to ensure that it can protect against specific threats that attack your web apps.

  • Performance and scalability: Check if the WAF can comfortably handle incoming traffic during peak traffic times without impacting performance.

  • Ease of use: The WAF should be easy to configure and manage with a user-friendly interface.

  • Security features: Check if the WAF you want has all the basic features listed in the "key WAF features and capabilities" section above.

  • Support: The WAF vendor should provide timely updates, patches, and reliable support in case of any issues or problems.


Choosing a good web application firewall can be confusing, considering the amount of WAF vendors vying for your attention. We hope that this article has made things a bit easier for you.

Remember that the main difference between traditional and contemporary WAFs is that traditional web application firewalls use signatures and policies to protect against common attacks. On the other hand, contemporary web application firewalls like open-appsec WAF use machine learning algorithms and behavioral analysis to protect against known and unknown attacks. Try open-appsec in the Playground today.


Experiment with open-appsec for Linux, Kubernetes or Kong using a free virtual lab

bottom of page