What is a WAF (Web Application Firewall)?
A web application firewall, or WAF, is a filter that sits in front of your website and inspects every incoming request, blocking malicious ones before they reach your server. Here's what that means in practice.
What a WAF does
Where a traditional network firewall controls connections by IP and port, a WAF understands HTTP — the actual web requests visitors send. It looks for the signatures of attacks like SQL injection, cross-site scripting (XSS), and known exploit attempts, and stops them at the door.
A good WAF also handles bad bots, malicious IP addresses, and abusive request rates, so automated abuse never reaches your application.
What it protects against
The OWASP Top 10 — the industry's list of the most critical web risks — is the baseline. AWS WAF managed rule groups cover SQL injection, XSS, known bad inputs, and more, and are maintained as new threats appear.
Layered on top are bot control, IP reputation, geographic and rate-based rules, and account-fraud protection for logins and signups.
Managed vs DIY
Running a WAF well is mostly about tuning: enabling the right rules and avoiding blocking real customers. A managed WAF service handles that for you — provisioning, tuning, monitoring, and responding — so you get the protection without operating it.