Network February 10, 2025 ⏱ 6 min read

Web Application Firewalls: A Complete Guide to WAF

Learn how Web Application Firewalls work, how to configure ModSecurity and cloud-based WAFs, and best practices for protecting web applications.

wafweb-securitymodsecurityowaspfirewall

What Is a Web Application Firewall?

A Web Application Firewall (WAF) is a security layer that sits between your web application and incoming traffic, inspecting HTTP/HTTPS requests in real time. Unlike traditional network firewalls that operate at layers 3 and 4 of the OSI model, a WAF operates at layer 7 — the application layer — giving it the ability to analyze the actual content of web requests.

WAFs protect against a wide range of attacks including SQL injection, cross-site scripting (XSS), remote file inclusion, and other OWASP Top 10 vulnerabilities. They work by applying a set of rules (often called policies) to each incoming request, deciding whether to allow, block, or flag the traffic.

Types of WAFs

There are three primary deployment models for WAFs, each with distinct advantages depending on your infrastructure and threat model.

Network-Based WAF

Deployed as a hardware appliance within your data center, network-based WAFs offer the lowest latency since they sit physically close to the application servers. Solutions like F5 BIG-IP and Imperva SecureSphere fall into this category. The trade-off is high upfront cost and maintenance overhead.

Host-Based WAF

Host-based WAFs are installed directly on the web server as a software module. ModSecurity is the most well-known example. They are highly customizable and cost-effective but consume local server resources and require per-server configuration.

Cloud-Based WAF

Cloud WAFs are delivered as a service and require minimal infrastructure changes — typically just a DNS redirect. Providers like Cloudflare, AWS WAF, and Akamai handle rule updates, scaling, and DDoS absorption automatically. They are ideal for organizations that want protection without managing hardware or complex configurations.

Setting Up ModSecurity with Nginx

ModSecurity is the de facto open-source WAF engine. It supports Apache, Nginx, and IIS. Here is how to install and configure it on an Ubuntu server running Nginx.

Installation

sudo apt update
sudo apt install -y libmodsecurity3 libmodsecurity-dev libnginx-mod-security

If you are compiling Nginx from source with the ModSecurity connector:

git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
cd /path/to/nginx-source
./configure --add-dynamic-module=../ModSecurity-nginx
make modules
sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules/

Enabling ModSecurity in Nginx

Edit your main Nginx configuration to load the module and enable the engine:

# /etc/nginx/nginx.conf
load_module modules/ngx_http_modsecurity_module.so;

http {
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsecurity/main.conf;

    server {
        listen 80;
        server_name example.com;

        location / {
            proxy_pass http://127.0.0.1:8080;
        }
    }
}

Create the main ModSecurity configuration file:

sudo mkdir -p /etc/nginx/modsecurity
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/nginx/modsecurity/main.conf

Switch from detection to enforcement by editing main.conf:

# Change from DetectionOnly to On
sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsecurity/main.conf

Integrating the OWASP Core Rule Set (CRS)

The OWASP Core Rule Set is a community-maintained collection of generic attack detection rules. It is the most widely deployed WAF rule set in the world and covers the OWASP Top 10 out of the box.

cd /etc/nginx/modsecurity
git clone https://github.com/coreruleset/coreruleset.git
cp coreruleset/crs-setup.conf.example coreruleset/crs-setup.conf

Include the CRS rules in your ModSecurity configuration:

# Append to /etc/nginx/modsecurity/main.conf
echo "Include /etc/nginx/modsecurity/coreruleset/crs-setup.conf" >> main.conf
echo "Include /etc/nginx/modsecurity/coreruleset/rules/*.conf" >> main.conf

Restart Nginx and verify:

sudo nginx -t
sudo systemctl restart nginx

Test that the WAF is working by sending a basic SQL injection attempt:

curl -I "http://example.com/?id=1' OR '1'='1"
# Expected: 403 Forbidden

Cloud WAF Options

For teams that prefer managed solutions, several cloud WAF providers offer robust protection with minimal setup.

Cloudflare WAF — Included in Pro plans and above. Provides managed rulesets, rate limiting, and bot management. Configuration is done entirely through the dashboard or API.
AWS WAF — Integrates natively with CloudFront, ALB, and API Gateway. Supports custom rules written in JSON and offers managed rule groups from AWS and marketplace vendors.
Azure Front Door WAF — Delivers Microsoft-managed rule sets with custom policy support. Tight integration with Azure CDN and application services.
Akamai Kona Site Defender — Enterprise-grade WAF with adaptive rate controls and advanced bot detection, suitable for high-traffic environments.

Cloud WAFs are particularly effective when combined with CDN capabilities, as they can absorb volumetric attacks at the edge before traffic ever reaches your origin server.

WAF Bypass Techniques to Watch For

Understanding how attackers bypass WAFs is essential for building resilient defenses. Security teams should be aware of these common evasion methods:

Encoding tricks — Attackers use double URL encoding, Unicode, or hex encoding to obfuscate payloads. For example, %253Cscript%253E instead of <script>.
Case alternation — Mixing uppercase and lowercase characters (SeLeCt, uNiOn) to evade case-sensitive pattern matching.
Comment injection — Inserting SQL comments within keywords: SEL/**/ECT or UN/**/ION.
HTTP parameter pollution — Sending duplicate parameters (?id=1&id=2 OR 1=1) to exploit differences in how the WAF and the backend parse them.
Chunked transfer encoding — Splitting malicious payloads across multiple HTTP chunks to avoid detection by rules that inspect complete request bodies.
JSON/XML payloads — Embedding attacks inside structured data formats that the WAF may not deeply inspect.

Regularly testing your WAF with tools like nikto, sqlmap, or wfuzz helps identify gaps before attackers do.

Best Practices for WAF Deployment

Deploying a WAF is not a one-time task. Follow these practices to maintain effective protection over time.

Start in detection mode — Run the WAF in DetectionOnly or log-only mode before switching to enforcement. Analyze logs to identify false positives and tune rules accordingly.
Tune aggressively — The OWASP CRS uses a paranoia level system (1–4). Start at level 1 and gradually increase, whitelisting legitimate traffic patterns as you go.
Keep rules updated — Whether you use ModSecurity CRS or a managed cloud WAF, ensure rule sets are updated regularly to cover newly disclosed vulnerabilities.
Log everything — WAF logs are invaluable for incident response and forensic analysis. Forward them to a SIEM or centralized logging platform like the ELK stack.
Layer your defenses — A WAF should never be your only security control. Combine it with input validation, parameterized queries, Content Security Policy headers, and regular penetration testing.
Monitor performance — WAF inspection adds latency. Profile your response times and optimize rule sets to exclude static assets or trusted internal traffic.
Protect the WAF itself — Ensure management interfaces are not exposed publicly. Use IP whitelisting and strong authentication for any WAF administration panel.

Conclusion

A well-configured WAF is one of the most effective tools in your defensive arsenal. Whether you choose a self-managed ModSecurity deployment or a cloud-based solution, the key is continuous tuning, monitoring, and layering it with other security controls. No single tool stops every attack — but a properly maintained WAF significantly raises the bar for adversaries targeting your web applications.