A WAF protects web applications by filtering and monitoring HTTP traffic. It's a key defense against OWASP Top 10 vulnerabilities.
WAF Products
| ModSecurity | Open source, on-premise |
| AWS WAF | Cloud-native for AWS |
| Cloudflare WAF | Edge/CDN-based |
| Imperva | Enterprise cloud WAF |
| Azure WAF | Azure Application Gateway |
ModSecurity Rules
# Block SQL injection
SecRule ARGS "@rx (?i)(\b(select|insert|update|delete|drop)\b)" \
"id:1001,phase:2,deny,status:403,msg:'SQL Injection Detected'"
# Block XSS
SecRule ARGS "@rx AWS WAF Example
{
"Name": "BlockSQLi",
"Priority": 1,
"Statement": {
"SqliMatchStatement": {
"FieldToMatch": { "AllQueryArguments": {} },
"TextTransformations": [
{ "Priority": 0, "Type": "URL_DECODE" }
]
}
},
"Action": { "Block": {} }
}Best Practices
- Start in logging mode, then block
- Use managed rule sets (OWASP CRS)
- Tune rules to reduce false positives
- Monitor blocked requests for threats
December 2024