OWASP Web Application Firewall Evaluation Criteria Project (WAFEC)

WAFEC is a joined project between The Web Application Security Consortium (WASC) and OWASP making sure the best minds in the industry, both those who work day and night to develop WAFs and those who implement and use them, are committed to ensure WAFEC is comprehensive, accurate and objective.

WAFEC is a joined industry effort to define what Web Application Firewalls(WAFs) are and provide the Application Security community with a tool to learn about WAFs and evaluate the suitability of different WAFs for their needs, use cases and environments.


The first version of WAFEC was released in 2006 and is in wide use in the industry. You can download v1.0 from this page.

In 2013, the project team was gearing up to release version 2. Due to a number of issues with WAFEC as outlined in the 2013 OWASP AppSecEU presentation WASC/OWASP WAFEC this project was sidelined until earlier this year when it transitioned from Ofer Shezaf to Tony Turner. We are now working on rebooting the WAFEC project. If you want to be a part of the project check out the Volunteering page or join #project-wafec on OWASP Slack and chime in when you feel ready.

WAFEC 2 Working Copy

WAFEC2 Working Copy is currently a draft Google Docs document, which can be found here: OWASP WAFEC 2 Working Copy