Web Application Firewalls

TrustRadius Top Rated for 2023

Top Rated Products

(1-1 of 1)


Cloudflare, from the company of the same name in San Francisco, provides DDoS and bot mitigation security for business domains, as well as a content delivery network (CDN) and web application firewall (WAF).

All Products

(1-25 of 58)


Cloudflare, from the company of the same name in San Francisco, provides DDoS and bot mitigation security for business domains, as well as a content delivery network (CDN) and web application firewall (WAF).


F5 BIG-IP software from Seattle-based F5 Networks is a load balancing and application protection solution suite available on cloud or via virtual editions, on a subscription or perpetual licensing basis. The BIG-IP suite of products supports a wide range of security and application…

F5 Distributed Cloud WAF (Web Application Firewall)

F5 Distributed Cloud WAF leverages F5's Advanced WAF technology, delivering WAF-as-a-Service and combining signature- and behavior-based protection for web applications. It acts as an intermediate proxy to inspect application requests and responses to block and mitigate a broad spectrum…

Explore recently added products


NGINX, a business unit of F5 Networks, powers over 65% of the world's busiest websites and web applications. NGINX started out as an open source web server and reverse proxy, built to be faster and more efficient than Apache. Over the years, NGINX has built a suite of infrastructure…

F5 Big-IP Advanced Web Application Firewall

F5 Networks offers the Advanced Web Application Firewall (WAF) to provide bot defense, advanced application protection, anti-bot SDK, and other features.


Amazon Web Services offers AWS WAF (web application firewall) to protect web applications from malicious behavior that might impede the applications functioning and performance, with customizable rules to prevent known harmful behaviors and an API for creating and deploying web security…

Azure Application Gateway

Microsoft's Azure Application Gateway is a platform-managed, scalable, and highly available application delivery controller as a service with integrated web application firewall.

Comodo cWatch

Comodo Cybersecurity headquartered in Clifton offers cWatch, a website malware and vulnerability scanner that provides content filtering as well at the free service level, and at paid premium subscription levels supplies WAF, DDoS protection, as well as load balancing and website…

Oracle Dyn Web Application Security Platform

Oracle Dyn Web Application Security Platform extends beyond just typical Web Application Firewall (WAF) capabilities to offer Access Control, Bot Management, application DDoS protection and API security.

Barracuda Web Application Firewall

Barracuda Web Application Firewall, from Barracuda Networks in Campbell, California, protects web applications from bots, DDoS attacks, and other advanced threats to enterprise apps.


NGINX Plus is presented as a cloud‑native, easy-to-use reverse proxy, load balancer, and API gateway, from F5.

Barracuda WAF-as-a-Service

Barracuda WAF-as-a-Service is presented by the vendor as a full-featured, cloud-delivered application security service that includes full-spectrum L3-L7 DDoS protection (volumetric and application) to protect applications from disruptions and ensure nonstop availability.

SonicWall Web Application Firewall

SonicWall offers their WAF Series, of web application firewalls.

Imperva Web Application Firewall (WAF)

The Imperva Web Application Firewall (WAF) is based on technology acquired with Incapsula and the former WebSphere WAF.


Reblaze is a comprehensive web security solution from the company of the same name in Sunnyvale. It includes DDoS protection, intrusion prevention, bot mitigation, and can be extended with web application firewall (WAF), anti-scraping, as well as CDN integration with autoscaling,…

Imperva Application Firewall

Imperva Web Application Firewall (WAF) stops attacks with near-zero false positives and a global SOC to ensure organizations are protected from the latest attacks minutes after they are discovered in the wild.

Fastly Next-Gen WAF (powered by Signal Sciences)

Fastly Secure (based on Signal Sciences, acquired December 2020), offers a WAF and RASP solution that protects over 34,000 applications and over a trillion production requests per month. Signal Sciences’ architecture is designed to provide organizations working in a modern development…

Akamai App & API Protector

Akamai Akamai App & API Protector offers protection for websites, web applications and APIs. An evolution of Kona Site Defender, a web application security platform designed to protect web and mobile assets from targeted web application attacks and DDoS attacks while improving…


FortiWeb is Fortinet's web application security system (or web application firewall, WAF) featuring advanced vulnerability management and threat detection and prevention, available in deployment as an appliance or virtual appliance, also as a hosted or a cloud-based virtual solution.…

Ivanti vADC

Ivanti vADC (formerly Pulse vADC, for Virtual Application Delivery Controller) is composed of three products which can be combined to suit the needs of applications. The solution is now from Ivanti since the company's December, 2020 acquisition of Pulse Secure.

Loadbalancer Enterprise ADC

Application Delivery Controllers (ADCs) built on open source technology, available as hardware or virtual solutions.

Array ASF Series Web Application Firewall & DDoS

Array web application firewalls provides a tool for securing business-critical resources. Commonly deployed along with load balancing and app delivery solutions, the ASF detects and blocks attacks including the OWASP Top 10, WASC, Layer 7 DDoS, and zero-day attacks with pinpoint…

StackPath Edge Security

StackPath Edge Security includes device-level fingerprinting, diverse DDoS attack profiling, and globally synchronized threat detection and mitigation reduces false-positives and catches sophisticated and emerging threats.

Vercara UltraWAF

Vercara UltraWAF is an application security used to protect the integrity of internet facing applications no matter where the apps are hosted.

Haltdos WAF - Community Edition (Open-Source)

Haltdos offers a web application firewall as free to access for all, in the form of Haltdos Community Edition (CE). The Community Edition provides 360 degrees of website security from OWASP 10 threats, XSS, SQL and other web-based threats. Haltdos WAF CE allows every website owner…

Videos for Web Application Firewalls

What is a Web Application Firewall (WAF)?
It's important to defend your network with more than just a traditional Layer 3-4 firewall. That's where a Web Application Firewall (WAF) comes in. This video outlines what a WAF is and why your web application needs one.

Web Application Firewalls  TrustMap

TrustMaps are two-dimensional charts that compare products based on trScore and research frequency by prospective buyers. Products must have 10 or more ratings to appear on this TrustMap.

Learn More About Web Application Firewalls

What are Web Application Firewalls (WAFs)?

Web Application Firewalls (WAFs) are server-side firewalls that protect externally-facing web applications. WAFs are part of a layered cybersecurity strategy. It falls to the WAF to prevent zero-day attacks on web apps and APIs that potentially reside in serverless architecture. WAFs can be deployed as a virtual or physical appliance.

Web application firewalls are specialized for securing web applications against specific kinds of threats, such as:

  • Cross-site scripting

  • SQL injection

  • Session hijacking

  • Denial of service

  • Buffer overflows

Other security tools, such as network firewalls, are less effective against these application-specific attacks. They may also come with more of a performance penalty than WAFs. Modern WAFs have also built out more live analytics and intelligent responsiveness to web traffic hitting an application. This allows them to better protect against zero-day attacks than legacy firewalls, which were wholly reliant on set policies for enforcing protection. In most cases, web application firewalls should be layered with other security tools, such as network firewalls or Runtime Application Self-Protection (RASP) software.

In 2006 the Payment Card Industry Data Security Standard (PCI DSS) mandated the protection of applications in production environments with web application firewalls or other devices that provide similar functionality. Since then, they have become a more standard tool in organization’s security tech stacks for securing any application.

Web Application Firewall (WAF) Features & Capabilities

WAFs generally present the following features:

  • Libraries of attack data based on known attacks to web applications

  • Monitoring, filtering and blocking of data and access to web applications

  • Automated attack detection, both identity-based (e.g. dynamic whitelisting, fingerprinting, risk scoring) and behavioral (e.g. risk scoring)

  • Advanced security techniques (e.g. deception/misdirection, virtual patch deployment, honeypot)

  • Zero-day attack prevention (related to the above)

  • A management interface with alert system

  • Reporting and analytics on threat and application usage

Web Application Firewall Comparison

Consider these factors when comparing web application firewalls:

  • Performance: How does each WAF impact the application’s performance? For instance, does each product introduce relevant latency in traffic? Do false positives create a worse application user experience?

  • Deployment Type: Should the WAF be deployed as a cloud-based app, an on-premise appliance, or as a server plugin? Each of these options impact latency, customizability, and scalability.

  • Integrations: Does each option integrate with the other application security tools already in use by the organization? This can dramatically impact how easy to maintain and update the WAF is in light of new vulnerabilities or attacks.

Start a web application firewall comparison here

Pricing Information

The cost of web application firewalls depends on deployment. There are three options:

  1. A managed service or cloud-hosted WAF delivered as part of a subscription. This can be relatively low overhead as part of a larger subscription (e.g. part of a CDN). But it also may contain unneeded features.

  2. A network-based appliance. This presents relatively high overhead but reduces latency because it is installed locally and close to the application.

  3. A host-based WAF residing in the application’s code. This is rarer and may present less desirable computing costs and greater maintenance

Related Categories

Frequently Asked Questions

What is a web application firewall?

A web application firewall sits on the application layer, often within the server, to monitor and block malicious traffic that attempts to access or interfere with the application being protected.

Why do I need a web application firewall?

A web application firewall is crucial to protecting applications from web app-specific attacks that other tools struggle to effectively mitigate.

What’s the difference between WAF and firewall?

WAF (web application firewall) is a subset of firewalls that focuses exclusively on web-facing applications. Firewalls also encompass network firewalls, which are a broader set of tools.

How do web application firewalls work?

Web applications monitor, or intercept, web traffic as or before it reaches the application. It conducts analysis based on existing rules and policies to determine whether the traffic is malicious or not, and blocks it if it is determined to be malicious.