A Web Application Firewall, as the term firewall implies, is a middleman that sits between web applications on a web server and the Internet. A WAF serves two major functions: preventing malicious traffic from reaching web applications hosted on a server and preventing unauthorized data from leaving the web server. In the Open Systems Interconnection (OSI) seven-layer model, a WAF operates at the application level, which is the seventh and highest level.

How a WAF works

Conceptually, a WAF works like a reverse proxy. Proxies typically protect client machines’ identities from web servers by positioning itself in the middle of the data flows between client and server machines. For a WAF, its protection is in the reverse direction: it positions itself in the middle of data flows between the server and client machines to protect the server from potentially malicious traffic originating from clients.

What is Web Application Firewall (WAF) and How is it Used to Protect Your Website

Some of the attacks that malicious clients can launch on web applications include cross-site scripting (XSS), cross-site forgery, SQL injection, file inclusion, and cookie poisoning. To prevent such attacks, a WAF monitors and examines every single data packet going in and out of a web server to ensure that the data packets are safe.

WAFs operate through policies that establish what malicious traffic and safe traffic look like. Broadly, these policies fall into two categories: a block model where traffic resembling known attacks are denied passage through the WAF, and an allow model where traffic that is pre-approved will be granted passage. Most WAFs do not exclusively depend on policies from a single model because each model has inherent weaknesses. Therefore, WAFs tend to employ a hybrid model with both block and allow policies for maximum effectiveness.

Ways to deploy a WAF

There are three major ways to deploy a WAF on a web server: network-based, host-based or cloud-based.

  1. Networked-based WAF: In a network-based WAF, hardware or physical equipment is used to sit in between server and client traffic. The main advantage of network-based WAF is that they minimize latency because the protection operates through a separate physical device on-site. However, network-based WAFs are usually the most expensive option.
  2. Host-based WAF: For host-based WAF, protection comes from software installed on the web server itself. Like networked-based WAFs, host-based WAFs are on-site and thus minimizes latency. However, host-based WAFs consume the resources of the web server to perform its protective function as they do not reside on a separate physical device unlike network-based WAFs. Thus, host-based WAFs may also be costly because of the need to optimize a web server so that its performance is not degraded because of the deployment of a host-based WAF on the server itself.
  3. Cloud-based WAF: The main advantages of cloud-based WAFs are affordability and simplicity. Cloud-based WAFs are typically offered as a service for a monthly fee and do not require hefty upfront investment such as buying physical equipment like network-based WAFs. Cloud-based WAFs are also very easy to implement. Often, a DNS change to redirect traffic to the cloud-based WAF service is all that is necessary. The main downside of cloud-based WAFs is that the protection is not on-premise and the end-user does not have full knowledge of the policies and strategies employed because the protection is offered by a third-party.


Layer 7 (Application Layer)

The "Application Layer" is where applications or web pages are run; they face the "end user."


A "Web Application Firewall."

OSI Model

Open Systems Interconnection Model (a seven layer model).