Skip to main content


· 3 min read

A brief introduction to Web Application Firewall


A web application firewall (or WAF) is a high-level layer in your software that filters the traffic between your web application and the Internet. It mainly serves to protect your app from HTTP attacks like DDoS, XSS (cross-site-scripting), SQL injection, and others. Combined with other security layers in the stack, WAF is an important part of keeping your web app secure.

In the same manner that a proxy server protects the client by serving as an intermediary between the client app and the Internet, a WAF is a reverse proxy that protects the server from any client-side attacks. The WAF filters out any malicious client-side code before it can reach the server to cause any problems.

How Does a WAF Work?

A WAF controls outside access to a web application. Malicious requests are denied, as is any outgoing activity that is caused by such malicious activity on the servers.

When deployed as a reverse proxy, clients must first pass through the WAF (at the 'edge)' before they can communicate with the origin server. Clients are not typically aware they are communicating with a reverse-proxy instead of directly with the origin server, and the user experience is not negatively impacted in any way.

Both incoming requests from clients and outgoing responses from the origin server are filtered by the WAF before the communications are allowed to pass through. Any attempts on either side that do not pass the WAF's security policies are denied.

What are the Main Types of WAF Policies?

  • Blacklist (aka ‘block-list’) policies: Protect against known threats that currently exist, while allowing all other traffic through.
  • Whitelist (aka ‘allow-list’) policies: Assume all traffic is a threat, unless specifically given permission beforehand.

As both of these approaches have strengths and weaknesses, it is often advisable to combine them to obtain the best desired effect. For example, a site that only has a certain type of desired traffic might set up a whitelist, blocking out all other traffic (while still having a basic blacklist of any malicious requests that may come from any of the whitelisted sources), while some sites may have a wide variety of traffic and depend more on a heavy-handed blacklist approach.

What are the Main Ways a WAF Can be Implemented?

  • Local/Hardware-based Network: The traditional method used by companies, requiring a local network be set up. This option is the most expensive, requiring large purchases of equipment and expenses to store and maintain the local network.
  • Hosted: The WAF layer can be hosted in the web application’s software, on the server side. While this method is cheaper in upfront costs to implement, it consumes server resources and requires backend developer resources to set up and maintain.
  • Cloud-based: The most modern, turn-key solution for implementing WAF. A cloud provider will set up and host all the WAF resources remotely, allowing customers to to purchase access, typically requiring only a simple change in DNS settings to re-route the traffic. Similar to other software-as-a-service (SaaS) solutions, the user is typically charged a monthly or pay-as-you-go fee, treating the service as a utility. Aside from being the cheapest and most convenient option in most cases, the main advantage to this option is that cloud-based providers maintain the WAF on their end, ensuring it is up-to-date for maximum security and reliability.

Contact us to learn more about Kuroco’s easy-to-use cloud-based WAF solution.