GLOSSARY · Network
Web Application Firewall WAF
Filter that sits in front of a web application and inspects every request — blocking known attack patterns (SQL injection, XSS, file inclusion) before they reach your code.
Detailed definition
Web Application Firewall is the layer between the public internet and your web application that inspects every incoming request and decides whether to let it through. Unlike a traditional network firewall (NGFW) that filters by port and IP, a WAF understands HTTP — it can look at headers, request bodies, query parameters, cookies, and block requests that match known attack patterns.
What a WAF blocks
- SQL injection — attacker tries to manipulate database queries through user input
- Cross-site scripting (XSS) — attacker injects JavaScript into pages other users will see
- Local / remote file inclusion — attacker tries to make the server load arbitrary files
- Path traversal — attempts to read files outside the web root
- OWASP Top 10 patterns — the canonical web vulnerability list
- Bot abuse — credential stuffing, scraping, comment spam (when combined with bot management)
- DDoS at L7 — application-layer flooding designed to exhaust backend resources
Edge WAF vs origin WAF
- Edge WAF (Cloudflare, AWS WAF, Akamai) inspects requests at the CDN layer before they reach your server. Stops attacks at the global edge, scales independently of your origin, and benefits from cross-customer threat intel.
- Origin WAF (mod_security on Apache, Imunify360, WP-level plugins) inspects requests at your server. Useful as a second layer, but won’t help with attacks that exhaust origin resources before being blocked.
We default to edge WAF for most clients — Cloudflare’s WAF with OWASP managed rule sets tuned to the specific application. For WordPress hosting we also enable origin-level hardening (file-system restrictions, login rate-limiting, malware scanning) as a second layer.
Why WAF without bot management is incomplete
A modern WAF is most effective paired with bot management. Pure rule-based WAFs catch the classic vulnerability patterns but miss credential-stuffing attacks (which look like legitimate logins) and scraping (which looks like legitimate browsing). Cloudflare’s Bot Management uses behavioral signals and bot scores to separate Googlebot from credential-stuffing scripts — see the Cloudflare service page for the deployment pattern.
HOW WE HELP
Related Bytes Unlimited services
Need help applying WAF to your business?
We've done this kind of work across New York. First conversation is free.