Web Application Firewalls

Web Application Firewalls Overview

Web Application Firewalls (WAFs) are server-side firewalls that protect externally-facing web applications. WAFs are part of a layered cybersecurity strategy. It falls to the WAF to prevent zero-day attacks on web apps and APIs that potentially reside in serverless architecture. WAFs can be deployed as a virtual or physical appliance.

Web application firewalls are specialized for securing web applications against specific kinds of threats, such as:

  • Cross-site scripting

  • SQL injection

  • Session hijacking

  • Denial of service

  • Buffer overflows

Other security tools, such as network firewalls, are less effective against these application-specific attacks. They may also come with more of a performance penalty than WAFs. Modern WAFs have also built out more live analytics and intelligent responsiveness to web traffic hitting an application. This allows them to better protect against zero-day attacks than legacy firewalls, which were wholly reliant on set policies for enforcing protection. In most cases, web application firewalls should be layered with other security tools, such as network firewalls or Runtime Application Self-Protection (RASP) software.

In 2006 the Payment Card Industry Data Security Standard (PCI DSS) mandated the protection of applications in production environments with web application firewalls or other devices that provide similar functionality. Since then, they have become a more standard tool in organization’s security tech stacks for securing any application.


Top Rated Web Application Firewalls Products

TrustRadius Top Rated for 2022

These products won a Top Rated award for having excellent customer satisfaction ratings. The list is based purely on reviews; there is no paid placement, and analyst opinions do not influence the rankings. Read more about the Top Rated criteria.

Category Videos

What is a Web Application Firewall (WAF)?
10:04
It's important to defend your network with more than just a traditional Layer 3-4 firewall. That's where a Web Application Firewall (WAF) comes in. This video outlines what a WAF is and why your web application needs one.

Web Application Firewalls  TrustMap

TrustMaps are two-dimensional charts that compare products based on trScore and research frequency by prospective buyers. Products must have 10 or more ratings to appear on this TrustMap.

Web Application Firewalls Products

(1-25 of 45) Sorted by Most Reviews

The list of products below is based purely on reviews (sorted from most to least). There is no paid placement and analyst opinions do not influence their rankings. Here is our Promise to Buyers to ensure information on our site is reliable, useful, and worthy of your trust.

Cloudflare
Customer Verified
Top Rated

Cloudflare, from the company of the same name in San Francisco, provides DDoS and bot mitigation security for business domains, as well as a content delivery network (CDN) and web application firewall (WAF).

NGINX

NGINX, a business unit of F5 Networks, powers over 65% of the world's busiest websites and web applications. NGINX started out as an open source web server and reverse proxy, built to be faster and more efficient than Apache. Over the years, NGINX has built a suite of infrastructure…

F5 BIG-IP

F5 BIG-IP software from Seattle-based F5 Networks is a load balancing and application protection solution suite available on cloud or via virtual editions, on a subscription or perpetual licensing basis. The BIG-IP suite of products supports a wide range of security and application…

Azure Application Gateway

Microsoft's Azure Application Gateway is a platform-managed, scalable, and highly available application delivery controller as a service with integrated web application firewall.

AWS WAF

Amazon Web Services offers AWS WAF (web application firewall) to protect web applications from malicious behavior that might impede the applications functioning and performance, with customizable rules to prevent known harmful behaviors and an API for creating and deploying web security…

Oracle Dyn Web Application Security Platform

Oracle Dyn Web Application Security Platform extends beyond just typical Web Application Firewall (WAF) capabilities to offer Access Control, Bot Management, application DDoS protection and API security.

Barracuda Web Application Firewall

Barracuda Web Application Firewall, from Barracuda Networks in Campbell, California, protects web applications from bots, DDoS attacks, and other advanced threats to enterprise apps.

StackPathCDN

The StackPath (formerly Highwinds) Content Delivery Network provides a scalable DNS with load balancing, traffic management, DDoS protection and Web Application Firewall (WAF) to support and protect enterprise websites and applications.

Barracuda WAF-as-a-Service

Barracuda WAF-as-a-Service is presented by the vendor as a full-featured, cloud-delivered application security service that includes full-spectrum L3-L7 DDoS protection (volumetric and application) to protect applications from disruptions and ensure nonstop availability.

SonicWall Web Application Firewall

SonicWall offers their WAF Series, of web application firewalls.

Imperva Web Application Firewall (WAF)

The Imperva Web Application Firewall (WAF) is based on technology acquired with Incapsula and the former WebSphere WAF.

F5 Advanced Web Application Firewall

F5 Networks offers the Advanced Web Application Firewall (WAF) to provide bot defense, advanced application protection, anti-bot SDK, and other features.

Akamai Kona Site Defender

Akamai offers their web application firewall and application security applications, including Kona Site Defender, a web application security platform designed to protect web and mobile assets from targeted web application attacks and DDoS attacks while improving performance.

Comodo cWatch

Comodo Cybersecurity headquartered in Clifton offers cWatch, a website malware and vulnerability scanner that provides content filtering as well at the free service level, and at paid premium subscription levels supplies WAF, DDoS protection, as well as load balancing and website…

Azure Front Door

Microsoft's Azure Front Door is a combined web application firewall and DDoS mitigation solution for web applications.

Pulse vADC (Virtual Application Delivery Controller)

Pulse vADC (Virtual Application Delivery Controller) is composed of three products which can be combined to suit the needs of applications. The solution is now from Ivanti since the company's December, 2020 acquisition of Pulse Secure.

FortiWeb

FortiWeb is Fortinet's web application security system (or web application firewall, WAF) featuring advanced vulnerability management and threat detection and prevention, available in deployment as an appliance or virtual appliance, also as a hosted or a cloud-based virtual solution.…

F5 Distributed Cloud WAF

Volterra, from F5 (acquired January 2021), provides a distributed cloud platform to deploy, connect, secure and operate applications and data across multi-cloud and edge sites. Its services include VoltStack, a SaaS-based offering that automates deployment, security and operations…

Avi Vantage, from VMware

Avi Networks, from VMware (acquired June, 2019) enables public-cloud simplicity for application services such as load balancing, application analytics, and security in data centers or cloud. The Avi Networks Platform provides software-based ADC capabilities, auto scaling and automation…

PT Application Firewall

Positive Technologies headquartered in Framingham offers the PT Application Firewall (AF), a web application firewall (WAF) which uses advanced machine learning and correlative techniques to detecting and prevent zero-day attacks on enterprise apps.

Radware AppWall

Radware offers AppWall, a PCI compliant web application firewall (WAF) securing corporate networks and the cloud against web app attacks.

R&S Web Application Firewall

German company Rohde & Schwarz offers the R&S Web Application Firewall to protect enterprise apps against data leakage, disablement, identity theft and intrusion.

WAPPLES

WAPPLES utilizes an intelligent detection engine to protect enterprise from advanced web-based attacks, including SQL injections, DDoS, and APTs. The vendor says that WAPPLES’ ease of deployment and low operational workload have been cited as main reasons for high customer satisfaction.…

NGINX Plus

NGINX Plus is presented as a cloud‑native, easy-to-use reverse proxy, load balancer, and API gateway, from F5.

Bekchy

Bekchy is a cloud-based web application firewall, developed by Faydata Information Technologies Inc. Bekchy works in front of all web application servers. According to the vendor, Bekchy is used by finance, health, education, tourism and media sectors. It provides basic and advanced…

Learn More About Web Application Firewalls

What are Web Application Firewalls (WAFs)?

Web Application Firewalls (WAFs) are server-side firewalls that protect externally-facing web applications. WAFs are part of a layered cybersecurity strategy. It falls to the WAF to prevent zero-day attacks on web apps and APIs that potentially reside in serverless architecture. WAFs can be deployed as a virtual or physical appliance.

Web application firewalls are specialized for securing web applications against specific kinds of threats, such as:

  • Cross-site scripting

  • SQL injection

  • Session hijacking

  • Denial of service

  • Buffer overflows

Other security tools, such as network firewalls, are less effective against these application-specific attacks. They may also come with more of a performance penalty than WAFs. Modern WAFs have also built out more live analytics and intelligent responsiveness to web traffic hitting an application. This allows them to better protect against zero-day attacks than legacy firewalls, which were wholly reliant on set policies for enforcing protection. In most cases, web application firewalls should be layered with other security tools, such as network firewalls or Runtime Application Self-Protection (RASP) software.

In 2006 the Payment Card Industry Data Security Standard (PCI DSS) mandated the protection of applications in production environments with web application firewalls or other devices that provide similar functionality. Since then, they have become a more standard tool in organization’s security tech stacks for securing any application.


Web Application Firewall (WAF) Features & Capabilities

WAFs generally present the following features:

  • Libraries of attack data based on known attacks to web applications

  • Monitoring, filtering and blocking of data and access to web applications

  • Automated attack detection, both identity-based (e.g. dynamic whitelisting, fingerprinting, risk scoring) and behavioral (e.g. risk scoring)

  • Advanced security techniques (e.g. deception/misdirection, virtual patch deployment, honeypot)

  • Zero-day attack prevention (related to the above)

  • A management interface with alert system

  • Reporting and analytics on threat and application usage

Web Application Firewall Comparison

Consider these factors when comparing web application firewalls:

  • Performance: How does each WAF impact the application’s performance? For instance, does each product introduce relevant latency in traffic? Do false positives create a worse application user experience?

  • Deployment Type: Should the WAF be deployed as a cloud-based app, an on-premise appliance, or as a server plugin? Each of these options impact latency, customizability, and scalability.

  • Integrations: Does each option integrate with the other application security tools already in use by the organization? This can dramatically impact how easy to maintain and update the WAF is in light of new vulnerabilities or attacks.

Start a web application firewall comparison here

Pricing Information

The cost of web application firewalls depends on deployment. There are three options:

  1. A managed service or cloud-hosted WAF delivered as part of a subscription. This can be relatively low overhead as part of a larger subscription (e.g. part of a CDN). But it also may contain unneeded features.

  2. A network-based appliance. This presents relatively high overhead but reduces latency because it is installed locally and close to the application.

  3. A host-based WAF residing in the application’s code. This is rarer and may present less desirable computing costs and greater maintenance

Related Categories

Frequently Asked Questions

What is a web application firewall?

A web application firewall sits on the application layer, often within the server, to monitor and block malicious traffic that attempts to access or interfere with the application being protected.

Why do I need a web application firewall?

A web application firewall is crucial to protecting applications from web app-specific attacks that other tools struggle to effectively mitigate.

What’s the difference between WAF and firewall?

WAF (web application firewall) is a subset of firewalls that focuses exclusively on web-facing applications. Firewalls also encompass network firewalls, which are a broader set of tools.

How do web application firewalls work?

Web applications monitor, or intercept, web traffic as or before it reaches the application. It conducts analysis based on existing rules and policies to determine whether the traffic is malicious or not, and blocks it if it is determined to be malicious.