How to set up a WAF (Web Application Firewall)
· Category: Cybersecurity
Short answer
A WAF filters HTTP traffic between the internet and your web application, blocking malicious requests like SQL injection, XSS, and CSRF attempts. Cloud WAFs (Cloudflare, AWS WAF) are easiest to deploy; self-hosted WAFs (ModSecurity) offer more control. For protecting APIs specifically, see how to secure a REST API.
What a WAF blocks
- SQL injection: Requests with
UNION SELECT,' OR 1=1--, and similar patterns - XSS: Requests containing
<script>,javascript:,onerror= - CSRF: Validates origin and referrer headers
- File inclusion: Requests with
../../../etc/passwdpath traversal - Bot traffic: Rate limiting and challenge pages for suspicious clients
Cloud vs self-hosted
| Factor | Cloud WAF (Cloudflare, AWS) | Self-hosted (ModSecurity) |
|---|---|---|
| Setup time | Minutes | Hours to days |
| Maintenance | Managed rules, auto-updated | You update rules manually |
| Customization | Limited rule tuning | Full OWASP Core Rule Set |
| Cost | $20–200/month or per-request | Server cost + your time |
| Performance | No added latency (edge) | Adds latency on your server |
Configuration best practices
- Start in detection mode — log everything, block nothing
- Review logs for false positives before enabling blocking
- Whititelist known good patterns (e.g., your API's expected request format)
- Enable the OWASP Core Rule Set as a baseline
- Add custom rules for your application's specific attack surface
Tips
- A WAF is a safety net, not a replacement for secure code. See what are the OWASP Top 10 security risks for code-level defenses
- Cloudflare's free plan includes basic WAF rules — a good starting point