WAF stands for Web Application Layer Firewall. WAF is an application layer firewall that is meant to secure the back end web server by monitoring every HTTP request and response to and from the server.
Questions tagged [waf]
140 questions
31
votes
8 answers
What's wrong with the use of a WAF (Web Application Firewall)?
My SaaS company recently lost the bid for an enterprise software licensing deal.
One of the reasons the prospect gave for not choosing us as a vendor was:
the use of a WAF
I'm not an information security specialist, so I'm confused as to why the…
Anon
- 311
- 2
- 5
2
votes
2 answers
Protection against command injection with modsecurity
I want to know if modsecurity can protect against command injection and file inclusion.
I tested modsecurity with free version and run dvwa which is vulnerable page .
But command injection is possible even if modsecurity rules are included in…
joker
- 21
- 2
1
vote
0 answers
Do we need SSL Certificate on both Firewall and WAF for inbound traffic?
We have a website hosted behind WAF(FortiWeb) and Firewall (FortiGate). The WAF already has the server valid SSL Certificate from public CA. Do we need to install SSL certificate on Firewall also for inbound traffic to make it more secure ?
Will…
msalhi
- 11
- 4
1
vote
2 answers
Do I need a WAF in front of an API exposed by Google Cloud Endpoint
I have a backend API exposed to the internet by GCP's Google Cloud Endpoint (Extensible Service Proxy). Cloud Endpoint allows us to control which other backend services can access the API and block unauthorized requests.
Is it worth adding a WAF in…
Manuel Darveau
- 111
- 2
1
vote
1 answer
Web application firewall using machine learning and how to implement it
I want to create a web application firewall from scratch. I am going to use machine learning to train it to classify malicious and clean queries. My dilemma is that I am a beginner and am unable to choose which language to code it n and also should…
Arkcoder
- 11
- 2
0
votes
1 answer
Back-end changing the url
We have a WAF in front of our environnement.
Let's say now
the client ask for example.com
The waf make a redirect (303) saying https://example.com
Now the communication is established between the client and the WAF.
If now, my back-end have a rule…
Warok
- 125
- 1
- 5
0
votes
1 answer
Internet traffic redirect from WAF to Cloud Network - Encrypted vs unencrypted
What are security best practices to determine if WAF should redirect Internet traffic to cloud network as encrypted or unencrypted ?
wonder
- 103
- 6
0
votes
1 answer
Is defending a server from BFA with 2 WAFs possible and common?
I am not of the IS field and hence reference this to the experts here - My question regards to defending a server from a Brute Force Attack (BFA) with 2 Web Application Firewalls (WAFs). The question can actually be comprised of the following 2…
user123574
-1
votes
1 answer
Do WAFs block base64 encoded inputs?
Do WAFs block/trigger alerts when they just read base64/hex encoded stuff as suspicious input? Or do they decode the strings (the ones which can do that), analyze the result and just then evetually block/trigger some alerts?
hyogy
- 13
- 5