What is a WAF (Web Application Firewall)?

A WAF (Web Application Firewall) monitors, filters, and blocks HTTP traffic to and from a web application, protecting it from layer 7 attacks. Unlike network firewalls (layer 3/4), WAFs understand HTTP and can inspect request/response content. WAFs protect against: SQLi, XSS, CSRF, XXE, SSRF, command injection, path traversal, and other OWASP Top 10 attacks. Modes: Detection mode (log only — use to tune rules before enforcing), Prevention mode (block malicious requests). Rule sets: OWASP Core Rule Set (open source), commercial rule sets. Deployment: Cloud-based (Cloudflare WAF, AWS WAF, Akamai — easy to deploy, no infra), On-premise appliance (F5 BIG-IP, Fortiweb — full control), Reverse proxy (Nginx + ModSecurity). Limitations: WAFs are not a silver bullet — they don't fix code vulnerabilities, can be bypassed with obfuscation, and require tuning to avoid false positives. Use as one layer of defense-in-depth.