English
    日本語
    Español
    Deutsch
  • (844) 4FASTLY
  • Support
  • Partners
    • Partner portal login
    • Become a partner
    • Find a partner
  • Log in
Fastly logo
English
日本語
Español
Deutsch
Talk to an expertTry Fastly free
  • Why Fastly
    • Overview
    • Company
    • Customer stories
    • Partners
  • Products
    • Edge Cloud Platform

      The platform behind the products that lets you create unforgettable experiences at global scale

      Learn more
    • Network Services

      Content delivery (CDN)CDN Video StreamingLoad balancingImage OptimizationTLS encryptionOrigin Connect
    • Security

      Next-Gen WAFBot protectionDDoS mitigation
    • Compute

      Compute@EdgeEdge ecosystem
    • Observability

      Real-time loggingMetrics
  • Solutions
    • By industry

      Streaming mediaDigital publishingOnline retailFinancial servicesSaaSTravel & hospitalityOnline education
    • By need

      Infrastructure savingsMulti-cloud optimization
    • By service

      Live event servicesProfessional servicesManaged CDNSupport plans
  • Resources
    • Blog
    • Resources
    • Documentation
    • Fastly Academy
    • Developers
    • Learning
    • Security Research Team
  • Pricing
  • (844) 4FASTLY
  • Support
  • Partners
    • Partner portal login
    • Become a partner
    • Find a partner
  • Log in

Web Application Firewall – What is a WAF?


A Web Application Firewall, or WAF, is a special type of firewall used for web applications. A WAF acts as a shield between a web application and the internet, protecting the server by detecting and blocking malicious request traffic.


A WAF does this by filtering, monitoring, and blocking HTTP and HTTPS traffic to and from a web service. Once properly configured and enabled for a service, a WAF helps prevent application-layer (Layer 7) attacks that exploit a web application's vulnerabilities, including SQL injection, cross-site scripting (XSS), and HTTP protocol violations.


WAF policies



WAFs don’t protect against all types of threats and attacks; rather, WAFs are one important element of a wider suite of tools used to protect websites and apps. The rules determining what traffic is deemed safe and what is malicious — in other words, what kind of traffic a WAF will allow or block — are called “policies.”


Each company or person using a WAF can customize policies to their own unique requirements. Policies can be updated quickly and even automatically. This is one of the advantages of a WAF: because policies can be modified easily, there can be a faster response to various types of attack.


Types of WAFs


WAFs can be implemented in three primary ways: on-premise, cloud, and hybrid.


#1 On Premise WAFs

On-premise WAFs, also known as appliance WAFs, are commonly used. Originally, all WAFs were on-premise and many companies still use on-premise WAFs to protect workloads, particularly older or legacy apps.


#2 Cloud Based WAFs

Cloud-based WAFs are located either in a vendor-hosted cloud or on the edge of a content delivery network (CDN). Cloud-based WAF solutions are becoming more popular because cloud-based deployment allows for blocking threats closer to the origin before they get onto the network.


Cloud-based WAFs are the fastest way to get a WAF up and running. They are a good option in many cases, including where teams may not have full autonomy over their infrastructure and where organizations have limited in-house IT resources.


Organizations might also choose a cloud WAF because they do not have to deploy software to gain protection. This translates into cost savings: staff do not have to manage software and instead can just focus on preventing threats from compromising their apps and application programming interfaces (APIs).


#3 Hybrid Wafs

Hybrid WAFs combine on-premise and cloud-based deployments, providing visibility into web requests directed at apps and APIs in any environment.


Hybrid deployments enable companies to protect both legacy applications that have not been adapted to the cloud and modern distributed applications. This deployment model leverages the mixture of on-premise and cloud to feed production security telemetry to a central management console. This provides a view across all WAF production deployments in easy-to-consume dashboards and reports.


Ideally, regardless of deployment method, the WAF vendor also provides an API that customers can use to feed security data and indicators to third-party security information and event management (SIEM) or security orchestration, automation and response (SOAR) tooling.


What is a WAAP?


Web Application and API Protection (WAAP) is a term used to describe cloud-based services designed to protect these vulnerable web applications and APIs. They protect your web apps and APIs from a wide variety of attacks. A WAAP service should provide protective capabilities that leverage effective web request inspection prior to reaching the app or API endpoint.


A WAAP focuses only on the application layer (Layer 7) of the OSI model, and resides at the outer edge of a network. Cloud WAAP services typically include bot mitigation, WAF, API protection, and DDoS protection.

Products
  • Edge cloud platform
  • Compute@Edge
  • CDN
  • Load balancing
  • Image optimization
  • Next-Gen WAF
  • Bot protection
  • DDoS mitigation
  • Real-time logging
  • Metrics
For Developers
  • Documentation
  • Fastly API
  • Security
  • Build on Fastly
  • Open source
  • Network map
For Businesses
  • Customer stories
  • Digital publishing
  • Online retail
  • Streaming media
  • SaaS
  • Travel & hospitality
  • Financial services
  • Online Education
Company
  • Careers
  • Blog
  • Press
  • Events
  • Why Fastly
  • Company
  • Partners
  • Investor relations
  • Industry analysts
  • Quarterly release notes
Support
  • Support center
  • Contact us
  • Getting started
  • Resources
  • Managed CDN
  • Professional services
  • Network status
Fastly
  • Trust
  • Acceptable use
  • Terms of service
  • Privacy policy
  • Website data collection
  • CCPA compliance statement
  • Code of conduct

©2023 Fastly, Inc. All Rights Reserved

LinkedInTwitterInstagramYoutube