Web Application Firewall
Thank you for visiting OWASP.org. We recently migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.
This is an example of a Project or Chapter Page.
A ‘'’web application firewall (WAF)’’’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection.
While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.
WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.
- The OWASP ModSecurity CRS Project’s goal is to provide an easily “pluggable” set of generic attack detection rules that provide a base level of protection for any web application.
- The OWASP Coraza WAF project is a WAF framework that can be easily integrated into your applications. It supports the OWASP ModSecurity CRS rules and Modsecurity syntax.
- Consider the WASC OWASP Web Application Firewall Evaluation Criteria Project (WAFEC) to help evaluate commercial and open source web application firewalls.