What is WAF (Web Application Firewall)?
An HTTP-layer filter that inspects incoming traffic and blocks requests matching attack patterns like SQL injection, XSS, or known CVE exploitation.
Full explanation
A WAF sits between the client and your application. It maintains rule sets — OWASP Core Rule Set, cloud-provider rules, custom rules — and blocks requests matching them. Cloudflare, AWS WAF, Azure Application Gateway, and Fastly are the major providers. WAFs reduce exposure to known attack patterns but do not replace secure coding — they are a defense-in-depth layer.
Example
Cloudflare's managed ruleset blocks requests matching CVE-2025-29927 (x-middleware-subrequest header injection) at the edge, protecting Cloudflare-fronted Next.js apps regardless of whether they upgraded.
Related
FAQ
Does a WAF replace SAST?
No. WAF blocks known attack patterns at runtime. SAST finds the underlying bugs pre-deploy. Use both.