Website Protection: What a WAF Can and Can’t Do

  • Katrin Graewe
  • December 1, 2020


Website Protection: What a WAF Can and Can’t Do

Website protection is a top priority, particularly for organizations that rely on web assets directly for revenue. For most of those organizations, a WAF is the tool of choice to protect web assets. However, there are several common misconceptions about what a WAF can and can’t do. And, given the potential consequences of a successful cyberattack, the price of overconfidence can be high.

This article will explain what a WAF is, how it protects web applications and websites, and which threats it can and can’t protect against.

What is a WAF?

A Web Application Firewall (WAF) sits between a website or web application and the Internet and protects it by monitoring and filtering traffic. This happens in one of three ways:

  1. Blacklist WAFs use a list of markers associated with past attacks to identify and block threats.
  2. Whitelist WAFs take the opposite approach — they block everything unless it meets specific criteria.
  3. Hybrid WAFs both blacklists and whitelists to distinguish between legitimate and malicious traffic.

When working correctly, WAFs monitor all incoming traffic and filter anything that could be a threat.

Three types of WAF

  1. Host-based WAFs are software-based solutions installed locally on the same web server as the assets they protect. While host-based WAFs are low cost and flexible, they require dedicated expertise to install and maintain.
  2. Network WAFs are hardware devices that plug directly into a web server. These devices are expensive and require complex ongoing management but offer very low latency.
  3. Cloud WAFs are essentially WAF-as-a-service delivered by a security vendor. They require no customer setup or maintenance, are low cost, and offer greater protection than other WAFs due to filtering traffic before it reaches protected websites and web applications.

How WAFs Boost Website Protection

An estimated 30,000 web applications and websites are hacked every day, primarily to steal sensitive information. Given that data breaches cost European organizations between $3.9 – $4.5 million on average, it’s no surprise attacks against web assets are considered a top threat faced by today’s organizations.

Protection at Layer 7

WAFs boost web application and website protection by blocking attacks that target the application layer — that’s OSI layer 7. Common attacks include SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). Since cloud WAFs filter traffic before it reaches the server, they can also mitigate DDoS attacks that target the application layer.

If you’re thinking, “shouldn’t websites be resistant to these attacks already if they’re coded securely?” — you’re partly right. Secure coding practices, code reviews, and penetration testing are all essential security precautions that help prevent cyber incidents and data breaches. However, it’s not reasonable to expect a web asset to be completely secure against all threats.

Try Link11 Zero Touch WAF

There will always be new vulnerabilities and threats that can’t be anticipated. Even the best engineering workflows can’t find every bug, especially in the modern world of rapid DevOps pipelines. For these reasons, a WAF is a critical component of any cybersecurity program.

What a WAF Can’t Do

While WAFs add a lot of value to a security program, they are often misunderstood. Some organizations purchase a WAF expecting it to protect their web assets against all attacks… and that simply isn’t realistic.

WAFs protect against application-layer attacks. However, there are numerous ways to attack a web asset that take a more indirect approach. The most obvious example is Distributed Denial of Service (DDoS) attacks, which disrupt web assets by overwhelming their underlying infrastructure. WAFs are ineffective against DDoS attacks, so it’s essential to have DDoS protection in place as well.

Most WAFs also can’t protect against malicious bots. While some bots use direct attacks (the type WAFs are designed to identify and block), many instead abuse legitimate business logic. WAFs simply aren’t designed to identify this type of malicious behavior — which is why bot management software is also critical for web application and website protection.

To find out more about how Link11’s Zero Touch WAF can protect your web assets, visit our website.


Sources mentioned:

  • 2020 Data Breach Investigations Report, Verizon, May 2020
  • Website Hacking Statistics in 2020, WebARX, September 2020
  • The OSI model explained and how to easily remember its 7 layers,, October 2020
  • OWASP Community Pages,
Link11 2018 Survey: DDoS threat still taken far too lightly
Three new DDoS extortioners are active in parallel in Europe
This site is registered on as a development site. Switch to a production site key to remove this banner.