Web Application Firewall: deploying WAF without breaking the app

A Web Application Firewall (WAF) inspects HTTP requests against a rule set, blocking malicious patterns before they reach the application. Cloud WAFs — AWS WAF, Cloudflare WAF, Azure Front Door WAF, Imperva, Akamai App and API Protector — dominate the market because they sit at the CDN edge with terabits of capacity and shared threat intelligence. Self-hosted ModSecurity (now Coraza, the Go rewrite) with the OWASP Core Rule Set v4 remains the open-source standard.

Out-of-the-box, the OWASP CRS v4 paranoia level 1 blocks a high fraction of injection attacks with low false positives. Higher paranoia levels block more but require tuning. The first month of a WAF deployment is always tuning — running in detection mode first, reviewing every blocked request against legitimate user behavior, building exceptions for false positives, then enabling blocking. Skipping this step turns the WAF on and off as users complain. Use the WAF logs and your application logs together; a true positive shows attacker patterns, a false positive shows a legitimate flow.

Layer the protections. The WAF handles signature-based attacks: OWASP Top 10 categories, known exploit signatures for CVE-class issues like Log4Shell (CVE-2021-44228), Spring4Shell (CVE-2022-22965), and the constant flow of new RCE chains. Bot management is a separate layer — Cloudflare Bot Management, AWS WAF Bot Control, Akamai Bot Manager, DataDome — using device fingerprinting and behavioral analytics. Rate limiting defends against credential stuffing and scraping. API-specific protection (Salt Security, Noname, the cloud-native API gateways with security policies) addresses BOLA and BOPLA from the OWASP API Top 10.

Operational practice: monitor block rates per rule. A rule blocking nothing is dead weight; a rule blocking 5 percent of legitimate users is destructive. Tune monthly. Keep the rule set current — managed rule subscriptions roll out signatures for new vulnerabilities within hours. For Azerbaijani retail and banking sites facing automated credential stuffing, layer rate limiting plus bot management plus a credential breach feed (Have I Been Pwned, SpyCloud) checking submitted passwords against known breaches. The WAF buys time while developers fix the underlying bug; it does not replace fixing the bug.