WAF (Web Application Firewall) blocks SQL injection, XSS, path traversal, and bot traffic at the application layer. It is a defense-in-depth layer — it complements secure code, it does not replace it. WAF analyzes HTTP requests and responses against rules and blocks suspicious patterns before they reach the application. For internet-facing web applications, WAF is standard practice.
ModSecurity + OWASP CRS¶
# Nginx configuration
modsecurity on;
modsecurity_rules_file /etc/modsecurity/crs/crs-setup.conf;
modsecurity_rules_file /etc/modsecurity/crs/rules/*.conf;
ModSecurity is an open-source WAF engine for Nginx, Apache, and IIS. OWASP Core Rule Set (CRS) contains rules against OWASP Top 10 vulnerabilities — SQL injection, XSS, command injection, path traversal, and more. CRS uses anomaly scoring — each suspicious pattern adds points and the request is blocked when the threshold is exceeded. This minimizes false positives compared to binary block/allow.
AWS WAF¶
resource "aws_wafv2_web_acl" "main" {
default_action { allow {} }
rule {
name = "aws-managed"
statement {
managed_rule_group_statement {
vendor_name = "AWS"
name = "AWSManagedRulesCommonRuleSet"
}
}
}
}
AWS WAF offers managed rule groups from AWS and third parties. Integration with CloudFront and ALB is native. Cloudflare WAF is an alternative with a global edge network and simpler configuration. Both provide bot management, geo-blocking, and custom rules.
Deployment and Tuning¶
Never deploy WAF directly in blocking mode. Start in detection/logging mode, analyze logs, and identify false positives. Typical false positives: JSON API payloads detected as SQL injection, base64 content detected as XSS. Create exceptions for legitimate patterns and only then switch to blocking.
Key Takeaway¶
WAF is defense-in-depth, not a replacement for secure code. Start with managed rules in detection mode, tune false positives, and gradually tighten. ModSecurity for self-hosted, AWS WAF or Cloudflare WAF for cloud.