Web Application Firewall is a special filtering layer placed between the user and the site, checking each request from a security perspective. While a regular server firewall works at the network level, WAF detects and stops attacks at the application level. It analyzes the content of HTTP requests, parameters and headers. If a request matches SQL injection, XSS or other attack patterns, WAF blocks it and never lets it reach the server.
What attacks WAF protects from
WAF mainly aims to stop attacks from the OWASP top 10 list. SQL injection is the most dangerous type where the attacker gets unauthorized access to the database. XSS is injecting malicious JavaScript code and stealing other users data. CSRF is performing unauthorized actions on behalf of a user. WAF detects these by comparing with patterns in its database. It also protects against file upload attacks, command injection and complex path traversal attacks.
Cloudflare WAF
Cloudflare WAF is the easiest to set up and most common solution. Just point the domain to Cloudflare nameservers and enable WAF rules. The free plan has basic protection, the paid plan has advanced rules and managed rules constantly updated by the Cloudflare team. WAF works alongside bot protection and suspicious requests are verified through CAPTCHA. The Cloudflare dashboard shows in real time which attacks are blocked.
Sucuri and other paid solutions
Sucuri offers a specialized WAF for WordPress and PHP sites. It not only protects from attacks but also ensures cleaning the site from malicious code. Imperva and F5 offer professional solutions for large corporations but they are quite expensive. AWS WAF and Azure WAF are convenient for applications hosted on cloud platforms. Most paid WAF solutions work on monthly subscriptions and prices change based on traffic volume.
ModSecurity — open source WAF
ModSecurity is an open source WAF module for Apache, Nginx and IIS. It is free but configuration requires technical knowledge. OWASP Core Rule Set (CRS) is the most famous and powerful rule set working with ModSecurity. CRS consists of thousands of rules and is constantly updated. The advantage of ModSecurity is you have full control, resources are used only on your server. The disadvantage is it can sometimes block real users so settings need to be carefully calibrated.
Sayt.uz practice
Sayt.uz provides two-layer WAF protection for all client sites. The first layer is Cloudflare WAF stopping attacks at the DNS level. The second layer is ModSecurity at the server level with OWASP CRS rules. By our observations on average more than 500 thousand attack attempts are automatically blocked per day. Clients can see WAF statistics in their cabinet, add trusted IPs to whitelist for false positives and configure security level as they wish.