This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Web Application Firewall
Description
A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.
A WAF differs from a proxy in that proxies protect clients, while WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.
WAFs may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.
A far more detailed description is available at Wikipedia.
OWASP Projects
- The OWASP ModSecurity CRS Project's goal is to provide an easily "pluggable" set of generic attack detection rules that provide a base level of protection for any web application.
- Consider the Web Application Firewall Evaluation Criteria Project (WAFEC) to help evaluate commercial and open source web application firewalls.
