A web application firewall (WAF) protects applications against sophisticated Layer 7 attacks that might otherwise lead to loss of sensitive data, system hijack by attackers, and downtime.
A WAF protects applications by actively monitoring and filtering traffic. It looks for common attack types such as SQL injection, cross‑site scripting (XSS), file inclusions, and other types of active intrusion. It is like a shield sitting right in front of your web server to keep out potentially harmful attacks.
Different Types of WAFs
- DevOps (host‑based) – F5 has created a modern WAF application that also works with NGINX Plus, NGINX Ingress Controller, and other servers. For details, see NGINX App Protect.
ModSecurity (host‑based) – NGINX ModSecurity WAF is based on the widely used ModSecurity open source software. For more information, see The NGINX ModSecurity WAF Joins the Google Cloud Security Partner Ecosystem.
[Editor – NGINX ModSecurity WAF officially went End-of-Sale as of April 1, 2022 and is transitioning to End-of-Life effective March 31, 2024. For more details, see F5 NGINX ModSecurity WAF Is Transitioning to End-of-Life on our blog.]
- Hardware – A physical product installed by your IT department that has a low latency but increased costs.
- Cloud – Typically provided by a third party and therefore not preferred for application protection due to the lack of controls and access.
Ready to learn more about WAF? Check out our resources page, WAF – Web Application Firewall.