A web application firewall (WAF) is a security measure that protects applications and servers from bad traffic and online attacks. Weaknesses in web servers and even APIs are being exploited more than ever, and a WAF can help filter requests for malicious payloads. As just one of many potential security layers comprising defense in depth, a customizable WAF with intelligent rules can help slash downtime and protect application performance from degradation.
Web application firewalls don't always offer these protections for "free". Typically, the processing involved with vetting requests does add some latency. Organizations that evaluate a WAF weigh these potential performance impacts at scale while considering metrics like false positives, false negatives, and balanced accuracy. Some WAFs shine in any one of (or in HAProxy's case, all of) these areas.
What makes a web application firewall (WAF) useful?
Modern security threats are always changing. While the OWASP Top 10 list has highlighted these trends over the years, new and unknown attack methods are multiplying. A good WAF can protect your applications against common security threats such as cross-site request forgery (CSRF), cross-site scripting (XSS), SQL injection (SQi), DDoS, and others.
Web application firewalls also provide varying degrees of customizability to help organizations counteract their biggest threats. Since no two applications or APIs have the same traffic profile—nor contain the same vulnerabilities—these configurations help teams mitigate attacks with the most meaningful impacts.
While not every application may need a WAF, companies residing in one of many sensitive industries (finance, healthcare, government) rely on web application firewalls to bolster their defenses and remain compliant.
How does a web application firewall (WAF) work?
When a client forms a connection and sends requests onward, the WAF intercepts those requests and evaluates them based on pre-established criteria. Here's how a WAF identifies then handles bad traffic and payloads:
Traffic is inspected. The WAF parses HTTP headers and payloads to determine if they're legitimate.
WAF rules provide filtering by inspecting traffic patterns and comparing them against known attack patterns.
If the capability is supported, the WAF will analyze traffic behaviors for anomalies based on observed normal behaviors over time. Anything suspicious is sniffed out and flagged accordingly.
Malicious traffic is either blocked, redirected, or logged for later analysis and future mitigation.
Web application firewalls aren't just confined to a rigid set of information from which they act. Some WAFs can learn from traffic patterns and automatically generate rules. Many of these security layers require regular updates to remain effective against evolving threats.
Finally, a WAF can exist in different locations within your infrastructure. Many WAFs operate at the web server layer, while others (like ours) operate at the proxy layer. This can influence how far attacks progress before they're addressed.
Does HAProxy include a web application firewall (WAF)?
Yes! All HAProxy Enterprise, HAProxy Enterprise Kubernetes Ingress Controller, and HAProxy ALOHA customers automatically receive HAProxy Enterprise WAF functionality with their subscriptions.
Our HAProxy Enterprise WAF is highly configurable, performant, and boasts unmatched balanced accuracy compared to competing alternatives. Plus, HAProxy Edge ships with a self-learning WAF that evolves in accordance with gathered traffic data—helping improve our HAProxy Enterprise WAF and counteract a wider range of application threats.
To learn more about WAF support within HAProxy, check out our web application firewall solution page or explore our WAF datasheet.