Web Application Firewall

What a WAF does — and why deployment is the easy part

A web application firewall inspects HTTP traffic and blocks attacks — SQL injection, XSS, CSRF, path traversal. Deploying one takes an hour. Tuning it so it stops attacks without blocking your checkout forms, your API calls, and your legitimate users takes expertise. This guide covers how WAFs work. If you want one managed for you, see Managed WAF.

See Managed WAF Service Talk to Our Security Team
OWASP CRS expertise ModSecurity + Coraza + AWS WAF Stack-specific tuning 17 years web infrastructure ops
Running production workloads for
Revolt MotorsPC JewellerRR KabelImpresarioIntentwiseLoomBhimaBGaussMitutoyo

How a WAF works

A WAF sits between your users and your application, inspecting every HTTP/HTTPS request. It applies rules to block known attack patterns — and this is where most self-managed deployments go wrong.

Request inspection at Layer 7

WAF operates at the application layer (L7) of the OSI model — inspecting HTTP headers, cookies, query strings, and request bodies for attack signatures. It does not inspect raw TCP/UDP traffic (that is L3/L4 DDoS protection).

Rule-based blocking

Rules define what looks malicious — SQL keywords in form fields, JavaScript in input parameters, directory traversal sequences in URLs. The OWASP Core Rule Set (CRS) is the industry standard baseline, covering the OWASP Top 10 attack classes.

False positives: the real challenge

Default CRS rules are intentionally strict. A WooCommerce order note with 'select your size' can trigger a SQL injection rule. A blog post about JavaScript can trigger an XSS rule. Tuning false positives per application is 80% of the work.

Attack types WAF blocks

SQL injection (SQLi), Cross-site scripting (XSS), Cross-site request forgery (CSRF), Path traversal (directory traversal), Command injection, Server-side request forgery (SSRF), Remote file inclusion (RFI).

What WAF does NOT block

Authentication bypass (broken auth logic in your code), business logic flaws, volumetric DDoS at the network layer (see /security/ddos/), malware in uploaded files (needs server-side scanning), zero-day exploits with no rule yet.

WAF deployment modes

Detection mode: log all rule matches without blocking — used during tuning. Prevention mode: actively block matching requests. Cloudflare WAF (CDN layer), ModSecurity/Coraza (server-side), AWS WAF (for EC2/ALB/CloudFront) are the three common deployment architectures.

WAF engine comparison

Three major WAF engines used in production. The right choice depends on your infrastructure and application stack.

Language
ModSecurity C
Coraza Go
AWS WAF Managed cloud
OWASP CRS support
ModSecurity Yes
Coraza Yes
AWS WAF Via managed rule groups
Best for
ModSecurity Apache/Nginx on dedicated
Coraza High-performance Nginx/Caddy
AWS WAF EC2/ALB/CloudFront
Performance overhead
ModSecurity Low–moderate
Coraza Very low
AWS WAF Minimal (cloud-native)
Custom rule complexity
ModSecurity High (SecRule syntax)
Coraza High (SecRule compatible)
AWS WAF Moderate (JSON rules)
Managed by ZenoCloud
ModSecurity Yes
Coraza Yes
AWS WAF Yes

* ZenoCloud selects the appropriate WAF engine based on your server stack and application during onboarding. See /security/managed-waf/ for the managed service.

FAQ

WAF questions

Do I need a WAF if I'm already using Cloudflare?
Cloudflare's free and pro plans include basic DDoS protection but limited WAF — you need at least Cloudflare Business ($200/mo) for a meaningful WAF. Even then, Cloudflare WAF protects at the CDN edge. If your server's real IP is ever exposed, Cloudflare's protection is bypassed. A server-side WAF (ModSecurity, Coraza) running on your origin server provides a second layer that remains effective regardless of what happens at the CDN layer.
What is the OWASP Top 10 and does a WAF cover it?
The OWASP Top 10 is a list of the most critical web application security risks: Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities, Broken Access Control, Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, and Insufficient Logging. A WAF with OWASP Core Rule Set covers Injection (SQLi), XSS, and some Deserialization attacks well. Broken Authentication, Broken Access Control, and business logic flaws require code fixes — WAF cannot block these.
How does WAF affect website performance?
A well-configured ModSecurity installation adds 1–5ms per request on modern hardware — negligible for most applications. Improperly configured WAFs running thousands of rules against every request can add 10–50ms. ZenoCloud's managed WAF tunes rule sets to include only relevant rules for your application stack, minimizing the overhead. Coraza, our modern Go-based alternative, adds even less latency.
Can a WAF protect against zero-day vulnerabilities?
Partially. The OWASP CRS covers broad attack classes (all SQLi attempts, not just known exploits). A zero-day exploit using a novel SQLi technique may still be blocked by CRS rules even before a specific rule exists. For truly novel attack vectors that don't match any existing rule, WAF is not effective — which is why WAF should be one layer of defense, not the only layer.
Is WAF required for PCI DSS?
PCI DSS Requirement 6.4 mandates that web-facing applications be protected by either a WAF or a documented manual code review process performed at least annually. For most organizations, a WAF is the practical solution. The WAF must log all traffic, block known attacks, and be reviewed regularly — requirements that ZenoCloud Managed WAF satisfies with monthly reporting.
Where can I get ZenoCloud to manage my WAF?
See /security/managed-waf/ for the managed service — this is the conversion destination for this page. We handle deployment, 14-day tuning, rule maintenance, and monthly security reporting. Starting at ₹5,000/mo for existing ZenoCloud hosting clients.
WAF that works

Skip the tuning headache. We manage it.

WAF deployment takes an hour. Tuning it so it doesn't block your users takes weeks. Let our team handle it — 14-day detection phase, application-specific rules, monthly review.

See Managed WAF Service Talk to Our Security Team
+1 714 242 5683 · +91 99991 08033 · support@zenocloud.io

Security services

Managed WAF

Expert-tuned WAF — we handle deployment and tuning

DDoS Protection

Network and server-level DDoS scrubbing

SOC as a Service

24/7 SIEM monitoring and incident response